Chicago IETF (August, 1998) IPsec Working Group Meeting Minutes

The WG met on Tuesday at the IETF meeting in Chicago, from 14:15 to 15:15. Approximately 120 people attended. This was MBONE broadcast.

The Agenda was: (with hypertext links to the slides, where available)

Workgroup status

Ted gave a report on the status of the IPSEC working group. The full suite of Internet Drafts have been approved by the IESG. They are currently being processed by the RFC editor and should be published shortly. It is now time to revisit the IPSEC charter since we have met almost all of the goals and milstones in the original charter.

Workshop announcement

Microsoft will be sponsoring an IPSEC interoperability testing workshop in Redmond on Aug 31 -- Sep 3rd. Approximately 20-25 companies have signed up for the workshop. William Dixon ( is the contact person for this workshop.

IBM is also sponsoring another round of interoperability testing in Binghamtom, NY on October 27--30. This test will also include L2TP. The $300 fee has been waived by IBM.

Charter revision

Bob Moskowitz led a discussion on new items for work goals for revising the charter. These items included:

The working group chairs will compose a new proposed charter based on these suggestions, and present it to the working group.

Discovered problems with Ipsec/IKE based on current implementation experience

Lifetime discussion

Although there is a default value established for Phase 2 lifetimes, there is no similar default for Phase 1 lifetimes. There is unfortunately is conflicting interpretations regarding how to proceed in the absence of an explicitly specified Phase 1 lifetime. There is an optional notification facility, but it's unclear what happens if the notified value ins't acceptable. There is an interoperability impact caused by these underspecification. (This will need to be corrected in a protocol errata.)

ICMP messages, standardized error codes, and MIB's

Michael Richardson gave a presentation on a two problems which he has been concentrating on. One is the issue of Path MTU discovery across a IPSEC tunnel; which could be ignored in IPV4, but not in IPV6. (Since IPV6 drops packets greater than the MTU, instead of fragmenting them; on the other hand, the IPV6 minimum MTU is also much bigger, so perhaps the problem can be ignored).

The other area of concern is ICMP messages and IPSEC, to support diagnostic tools such as traceroute and PING.

Policy/tunnel endpoint discovery

Roy Perieira has some drafts forthcoming which will cover IPSEC policy and tunnel endpoint discovery issues. These include how a new machine on the network bootstraps itself by obtaining its first policy, and secure route discovery in the face of complex topologies and multiple secure paths for load-balancing and/or redundancy.

IKE DH-less mode

Pau-Chen gave a presentation on a proposed alternative IKE mode which does not use Diffie-Helmann. It is faster, but it does not provide perfect forward secrecy.

Policy-based Security Management

Luis Sanchez gave a presentation on some Security Policy Management going on at BBN.