[802SEC] FW: [New-work] WG Review: Better-Than-Nothing Security (btns)
IEEE 802 WG Chairs,
The following new work item in the IETF may be of interest to members of
your IEEE 802 WG. Feel free to forward as appropriate.
From: firstname.lastname@example.org [mailto:email@example.com] On
Behalf Of IESG Secretary
Sent: Tuesday, March 08, 2005 11:20 AM
Subject: [New-work] WG Review: Better-Than-Nothing Security (btns)
A new IETF working group has been proposed in the Security Area.
The IESG has not made any determination as yet. The following
description was submitted, and is provided for informational purposes
Please send your comments to the IESG mailing list (firstname.lastname@example.org) by
Better-Than-Nothing Security (btns)
Current Status: Proposed Working Group
Current Internet Protocol security protocol (IPsec) and Internet Key
Exchange protocol (IKE) present somewhat of an all-or-nothing
alternative; these protocols provide protection from a wide array of
possible threats, but are sometimes not deployed because of the need for
pre-existing credentials. There is significant interest in providing
anonymous keying for IPsec between two parties who do not have
credentials suitable for the current profile of IKE. This mode would
protect against passive attacks but would be vulnerable to active
The primary purpose of this working group is to specify extensions to or
profiles of IKE to enable this mode of IPsec.
The goal of this relaxed varient of IPsec is to enable and encourage the
use of network security where it has been difficult to deploy - notably,
to enable simpler, more rapid deployment.
Two related problems emerged during the discussion of this problem.
First, there is a desire in the KITTEN, RDDP, NFSv4 and potentially
otherc working groups to perform anonymous authentication at the IPsec
layer and later cryptographically bind the IPsec association to
application authentication. The specification of how this binding is
performed for IPsec and the specification of how the binding interact
with application authentication protocols are out of scope for this
working group. However, the interactions between this cryptographic
channel binding and the IPsec PAD will be similar to those for the
anonymous mode with no binding. This working group needs to consider the
channel bindings use case when developing extensions to the PAD and SPD.
Secondly, BTNS and the channel bindings work both encourage IPsec to be
used to secure higher layer protocols. AS such we need to consider what
information these higher layer protocols need from IPsec.
Two proposals are under discussion for providing anonymous keing for
IPsec: bare RSA keys transported by IKE and self-signed certificates
transported by IKE.
The WG has the following specific goals over three IETF meetings:
a) develop a framework document to describe the motivation and goals of
these infrastructure-free variants of security protocols in general, and
IPsec and IKE in specific
b) develop an applicability statement, characterizing a reasonable set
of threat models with relaxed assumptions suitable for
infrastructure-free use, and describing the limits and conditions of
appropriate use of infrastructure-free variants
c) develop standards-track IKE extensions and/or profiles that support
one or both of the bare RSA keys or self-signed certificates
d) Specify standards-track extensions to the SPD and PAD to support
anonymous keying for IPsec and cryptographic channel bindings for IPsec
e) Develop an informational document giving advice to IPsec implementers
and higher-level protocol designers on the use of IPsec in securing
New-work mailing list
This email is sent from the 802 Executive Committee email reflector. This list is maintained by Listserv.