Greetings, I have a several comments and suggestions for the proposed charter:
In paragraph 2, suggest adding (ipsecme) after "IPsec Maintenance and Extensions Working Group" in second paragraph. In the paragraph about PQC, I suggest replacing the first two sentences with something more concise that also accounts for key establishment in concurrence with an earlier comment made by Valery on the previous email thread- there are still a couple of areas that have not yet been explored for key establishment or that would affect IKEv2 in general (such as use of TCP for lossy networks) and this (to me) warrants an explicit mention of key establishment in the charter and not just authentication. I see that the specific areas are mentioned in the last sentence, but it reads as those falling within the scope of authentication, which they do not. Additionally, the description of work on authentication seems like it is getting ahead of what has been decided by the WG so far. I think there is agreement that quantum-resistant digital signatures will be supported in IKEv2, but none of the drafts have been adopted yet. And as a nit: Postquantum -> Post-Quantum Perhaps something like: The working group will continue to develop and maintain solutions to facilitate the transition to and use of Post-Quantum Cryptography (PQC) for key establishment and authentication in IKEv2. For authentication, the IKEv2 protocol will be updated to support PQ authentication algorithms. Future PQC-related work may also include identifying and standardizing solutions related to transport issues that arise due to large public key and ciphertext sizes of PQ algorithms. While I do not see a downside to keeping the explanation of authentication work short, perhaps something like the following could be used if others feel it should be expanded (The "may be used" is my attempt not to get ahead of decisions made by the WG so far): "For authentication, the IKEv2 protocol will be updated to support PQ authentication algorithms that may be used as a direct replacement for current authentication algorithms, or alongside current algorithms as part of a hybrid solution." And some nits in the last three paragraphs: "IKEv2, ESP and AH" -> "IKEv2, ESP, and AH" "was last time updated" -> "were last updated" "The working group will work on the updating these documents." -> "The working group will update these documents." "(for example sha3, and including post quantum algorithms)" -> "(for example, SHA-3 and PQC)" "There has been some need for tools making debugging IPsec configurations easier" -> "There is a need for tools that make it easier to debug IPsec configurations" "One such protocol could be esp-ping." -> "One such tool could be the esp-ping protocol." "and there has been seen that there might be some need to make enhancements to it" -> "and there may be a need to make enhancements to it" - Rebecca Rebecca Guthrie she/her Center for Cybersecurity Standards (CCSS) Cybersecurity Collaboration Center (CCC) National Security Agency (NSA) -----Original Message----- From: Tero Kivinen <kivi...@iki.fi> Sent: Tuesday, December 3, 2024 9:30 AM To: sec-...@ietf.org Cc: ipsec@ietf.org Subject: [IPsec] IPsecME rechartering We have now finished our discussion about the IPsecME WG rechartering. Here is the proposed new charter: ---------------------------------------------------------------------- The IPsec suite of protocols includes IKEv1 (RFC 2409 and associated RFCs, IKEv1 is now obsoleted), IKEv2 (RFC 7296), the IPsec security architecture (RFC 4301), AH (RFC 4302), and ESP (RFC 4303). IPsec is widely deployed in VPN gateways, VPN remote access clients, and as a substrate for host-to-host, host-to-network, and network-to-network security. The IPsec Maintenance and Extensions Working Group continues the work of the earlier IPsec Working Group which was concluded in 2005. Its purpose is to maintain the IPsec standard and to facilitate discussion of clarifications, improvements, and extensions to IPsec, mostly to ESP and IKEv2. The working group also serves as a focus point for other IETF Working Groups who use IPsec in their own protocols. The current work items include: Postquantum Cryptography brings new authentication methods. The working group will develop a solution, that allows adding Postquantum authentication methods. The solution will allow post quantum authentication methods to be performed in parallel with (or instead of) the existing authentication methods. This work item may also include solutions for transport issues because of larger payload and message sizes. The cryptographic algorithm implementation requirements and usage guidance documents for IKEv2, ESP and AH was last time updated in 2017. The working group will work on the updating these documents. This may also include defining how to use additional algorithms for IPsec in separate documents (for example sha3, and including post quantum algorithms). There has been some need for tools making debugging IPsec configurations easier, and the working group will work on documents to help that. One such protocol could be esp-ping. The ESPv3 protocol was defined in 2005 and there has been seen that there might be some need to make enhancements to it. The working group will analyze the possible problems and work on solving them. This may include updating ESP, AH, and/or WESP standards, or result in a new security protocol. -- kivi...@iki.fi _______________________________________________ IPsec mailing list -- ipsec@ietf.org To unsubscribe send an email to ipsec-le...@ietf.org _______________________________________________ IPsec mailing list -- ipsec@ietf.org To unsubscribe send an email to ipsec-le...@ietf.org
