IP Security Maintenance and Extensions (ipsecme) ------------------------------------------------ Charter Last Modified: 2011-12-09 Current Status: Active Working Group Chair(s): Paul Hoffman Yaron Sheffer Security Area Director(s): Stephen Farrell Sean Turner Security Area Advisor: Sean Turner Mailing Lists: General Discussion:ipsec@ietf.org To Subscribe: https://www.ietf.org/mailman/listinfo/ipsec Archive: http://www.ietf.org/mail-archive/web/ipsec/ Description of Working Group: The IPsec suite of protocols includes IKEv1 (RFC 2409 and associated RFCs), IKEv2 (RFC 4306, RFC 4718, and associated RFCs), and the IPsec security architecture (RFC 4301). IPsec is widely deployed in VPN gateways, VPN remote access clients, and as a substrate for host-to-host, host-to-network, and network-to-network security. The IPsec Maintenance and Extensions Working Group continues the work of the earlier IPsec Working Group which was concluded in 2005. Its purpose is to maintain the IPsec standard and to facilitate discussion of clarifications, improvements, and extensions to IPsec, mostly to IKEv2. The working group also serves as a focus point for other IETF Working Groups who use IPsec in their own protocols. The current work items include: In an environment with many IPsec gateways and remote clients that share an established trust infrastructure (in a single administrative domain or across multiple domains), customers want to get on-demand point-to-point IPsec capability for efficiency. However, this cannot be feasibly accomplished only with today's IPsec and IKE due to problems with address lookup, reachability, policy configuration, and so on. The IPsecME Working Group will handle this large scale VPN problem by: * Creating a problem statement document including use cases, definitions and proper requirements for discovery and updates. This document would be solution-agnostic. * Publishing a common solution for the discovery and update problems that will satisfy the requirements in the problem statement document. The working group may standardize one of the vendor solutions, a combination, an superset of such a solution, or a new protocol. * Reviewing and help publish Informational documents describing current vendor proprietary solutions. This charter will expire in January 2014 (24 months from approval). If the charter is not updated before that time, the WG will be closed and any remaining documents revert back to individual Internet-Drafts. Goals and Milestones: Done WG last call on IPv6 configuration payloads Done WG last call on IPsec roadmap Done WG last call on session resumption Done WG last call on redirect Done WG last call on IKEv2bis Done WG last call on ESP NULL traffic visibility Done WG last call on HA requirements Done WG last call on quick crash discovery Done WG last call on EAP-only authentication Nov 2012 IETF Last Call on large scale VPN use cases Jun 2013 IETF Last Call on large scale VPN protocol Internet-Drafts: No Current Internet-Drafts. Request For Comments: RFC Stat Published Title ------- -- ----------- ------------------------------------ RFC5685 PS Nov 2009 Redirect Mechanism for the Internet Key Exchange Protocol Version 2 (IKEv2) RFC5723 PS Jan 2010 Internet Key Exchange Protocol Version 2 (IKEv2) Session Resumption RFC5739 E Feb 2010 IPv6 Configuration in Internet Key Exchange Protocol Version 2 (IKEv2) RFC5840 PS Apr 2010 Wrapped Encapsulating Security Payload (ESP) for Traffic Visibility RFC5879 I May 2010 Heuristics for Detecting ESP-NULL Packets RFC5930 I Jul 2010 Using Advanced Encryption Standard Counter Mode (AES) with the Internet Key Exchange version 02 (IKEv2) Protocol RFC5996 PS Sep 2010 Internet Key Exchange Protocol Version 2 (IKEv2) RFC5998 PS Sep 2010 An Extension for EAP-Only Authentication in IKEv2 RFC6027 I Oct 2010 IPsec Cluster Problem Statement RFC6071 I Feb 2011 IP Security (IPsec) and Internet Key Exchange (IKE) Document Roadmap RFC6290 PS Jun 2011 A Quick Crash Detection Method for the Internet Key Exchange Protocol (IKE) RFC6311 PS Jul 2011 Protocol Support for High Availability of IKEv2/IPsec