The IETF IP Security Working Group News

WG meetings held in Montreal:
Tuesday, June 25 at 1530 (opposite dhc, rolc)
Wednesday, June 26 at 1530 (opposite agentx, dhc)

Minutes of the WG Meetings

Official Archival Directory
December '95 meeting
July '95 meeting
July SKIP BOF '95

The Los Angeles meeting has concluded; minutes are presumably in the directory. The Montreal meeting has concluded; minutes are presumably in the directory. The San Jose meeting has concluded; minutes are presumably in the directory.

Specifications

  • Architecture
  • The Authentication Header
  • The Encapsulation Mode
  • MD5 Transform (and a related MD5 algorithm description)
  • HMAC: Keyed-Hashing for Message Authentication
  • HMAC-MD5 IP Authentication with Replay Prevention
  • The DES CBC transform
  • The 3DES CBC transform
  • IP Authentication using Keyed SHA
  • IP in IP Tunneling
  • RFC for assigned numbers, (NB: SIPP-ESP, SIPP-AH, and IPIP are defined here)
    • A draft related to IPSEC: ICMP error messages.

    In addition, there are drafts for key exchange protocols:

  • The Oakley/ISAKMP Resolution draft
  • The Internet IP Security Domain of Interpretation for ISAKMP , D. Piper
  • The Oakley Key Exchange Protocol draft
  • The Photuris Key Exchange Protocol draft
  • Photuris Extensions draft
  • Photuris Schemes and Privacy Protection draft
  • Internet Security Association Key Management Protocol (ISAKMP) , and postscript version.
  • Simple Key-Management For Internet Protocols-Plus (SKIPP). There is a SKIP web page, too. The full set of SKIP drafts:
  • SKIP
  • SKIP Algorithm Discovery
  • X509 Encoding of Diffie-Hellman Certificates
  • Encoding of Unsigned DH public values
  • SKIP extensions for Multicast
  • Certificate discovery protocol
  • Perfect Forward Secrecry
  • RFC The Exponential Security System TESS: An Identity-Based Cryptographic Protocol for Authenticated Key-Exchange (E.I.S.S.-Report 1995/4)
    • Related drafts include:
  • IPSEC Transforms:
  • The ESP Stream Transform, by G. Caronni, M. Waldvogel
  • HMAC-MD5: IP Authentication with Replay Prevention, by M. Oehler and Rob Glenn.
  • HMAC-SHA: IP Authentication with Replay Prevention, by S. Chang and Rob Glenn.
  • Keyed-MD5 for Message Authentication by H. Krawczyk
  • A combined integrity and encryption transform for ESP, using MD5 and DES by W. Simpson
  • Combined DES and MD5 transform for ESP by J. Hughes
  • Combined 3DES-CBC, HMAC and Replay Prevention Security Transform, by N. Doraswamy
  • Internet Security Transform Enhancements by W. Simpson
  • RFC 1949 Scalable Multicast Key Distribution by A. Ballardie
  • Authenticated Firewall Traversal with IPsec by M. Richardson
  • IP Encapsulation within IP by C. Perkins
  • Internet Public Key Infrastructure
  • DSS Certificate Encodings
  • Secure DNS
  • DNS Security Extensions
  • DNS Secure Dynamic Updates
  • DNS Security As Map
  • The Public Key Login Protocol, D. Kemp
  • A One-Time Password System by N. Haller and C. Metz
  • Group Key Management Protocol (GKMP) Architecture, H. Harney, C. Muckenhirn
  • RFC 1948 Defending Against Sequence Number Attacks by S. Bellovin
    • Related documents by working group members include:
  • Some IPSEC weaknesses by Steve Bellovin (smb@research.att.com)
  • The SKEME key exchange protocol by Kraczyk et al.
  • A technical paper about the strength of keyed hash functions by Bellare et al.
  • Slides from the University of Arizona presentation at the Dallas IPSEC WG meeting on key exchange performance parameters are available in postscript.
  • RC5 encryption
  • RC5 encryption (informational RFC)
  • RC5 as ESP transform (informational RFC)
  • Explanatory paper
    • Implementations (source code):
  • ISAKMP
  • NRL's ESP/AH (a gzip'd tar file)
  • Photuris and ESP/AH in the xkernel environment (a large compressed tar file)
  • SKIP with ESP/AH.
  • SKIP in Europe.

    • Combined mail list archives

    The mailing list archives for ipsec, ipsec-dev, and dnssec are archived:     Mar 19 through May 26, 1996, Jan 10 through Mar 19, 1996, Oct 23 to Jan 10, 1996, 1995 through October 23, with cross-references and subject-threaded links.

    Unless otherwise stated, the mailing list expresses the personal opinions of the contributors, not those of their employers.

    No maintenance is being done below this point; the developer's mailing list became inactive sometime in 1995

    Developer's mail index

    The developer's mailing list archive     index.

    Unless otherwise stated, the developer's mailing list expresses the personal opinions of the contributors, not those of their employers.

    Guide to developer's profiles:

    Metzger, Piermont Info Sys,
    Wagner and Bellovin, ATT,
    Glen, NIST,
    Frommer, RADGUARD,
    Touch, ISI,
    Fox, Morningstar,
    Orman, University of Arizona,

    Technical issues:

    SA manual interchange format, Bellovin.
    Support for multiple ESP modes/packet question,
    re-question,
    clarification of question,
    Housley answer re re-encryption,
    Metzger answer,
    clarification of question re utility not mechanism,
    Metzger answer,
    question per-connection vs. per-host keying,
    Metzger answer,
    utility of user selection question,
    Metzger requests clarification,
    Location of authentication header in IPv4, question, Metzger answer.
    Diffie-Hellman times
    IPv4 header processing,
    invariant fields, spec change suggested limit auth to pshdr,partial concurrence, partial concurrence, commentary, concurrence.
    ignore options, ratify question, name specific options, name specific options, several answers, etc.
    header length and frag concerns, slow links (1, 2, 3, re draft rfc on compression, fragmentation comment, time estimates).
    out-of-order fragments (1, 2, 3, 4, 5, 6)
    which fields can routers alter: 1, 2, 3, 4
    A Spoofing Attack?
    Photuris Q&A, and more