Dear all, IPsec is an important protocol family of the Internet. And we think it may be more powerful just by adding a few changes to it.
Source Address Validation (SAV) is a problem that can be partially solved by using IPsec or other approaches. However, IPsec AH needs to hash the whole changeless fileds of the length-vairable packet and IPsec ESP needs to encrypt the whole packet. Therefore the AH or ESP are too costly and heavily to implement the source address validation. We design a new tech mechanism that uses RPKI and IPsec to solve the inter-domain SAV problem. This new mechanism needs to define a new type of IPsec SA using together with RPKI to validate the inter-domain layer source address. As it only needs to choose a little fields to protect but not the whole packet, this will dramaticaly decrease the computation cost compared with the original IPsec AH or ESP. Thus it may be used globally in the Internet. Two drafts were submitted for that purpose. The one, ERISAV, describes its motivation, main framework, and interactive process. And the other, RISAV, describes detailed things about how to use RPKI, IKE, and IPsec AH for source address validation. The drafts' link are 1. https://datatracker.ietf.org/doc/draft-xu-erisav/ 2. https://datatracker.ietf.org/doc/draft-xu-risav/ The above announcement is these drafts. We would like to work with the community to improve and clarify these tech drafts. Best regards. Yangfei Guo From: internet-drafts Date: 2022-09-15 16:15 To: Guozhen Dong; Jianping Wu; Ke Xu; Xiaoliang Wang; Yangfei Guo Subject: New Version Notification for draft-xu-erisav-00.txt A new version of I-D, draft-xu-erisav-00.txt has been successfully submitted by Yangfei Guo and posted to the IETF repository. Name: draft-xu-erisav Revision: 00 Title: Enhance with RPKI and IPsec for the Source Address Validation Document date: 2022-09-15 Group: Individual Submission Pages: 8 URL: https://www.ietf.org/archive/id/draft-xu-erisav-00.txt Status: https://datatracker.ietf.org/doc/draft-xu-erisav/ Html: https://www.ietf.org/archive/id/draft-xu-erisav-00.html Htmlized: https://datatracker.ietf.org/doc/html/draft-xu-erisav Abstract: Packet forwarding on Internet typically takes no place with inspection of the source address. Thus malicious attacks or abnormal behavior have been launched with the spoofed source addresses. This document describes an inter-domain source address validation with RPKI (Resource Public Key Infrastructure) and IPsec (IP Security), including the motivation, tech framework, main interactive process, and optional extensions. The IETF Secretariat ------------------------------------------------------------------------------------------------------- A new version of I-D, draft-xu-risav-00.txt has been successfully submitted by Yangfei Guo and posted to the IETF repository. Name: draft-xu-risav Revision: 00 Title: An RPKI and IPsec-based End-to-End Approach for Source Address Validation Document date: 2022-09-15 Group: Individual Submission Pages: 11 URL: https://www.ietf.org/archive/id/draft-xu-risav-00.txt Status: https://datatracker.ietf.org/doc/draft-xu-risav/ Html: https://www.ietf.org/archive/id/draft-xu-risav-00.html Htmlized: https://datatracker.ietf.org/doc/html/draft-xu-risav Abstract: Because the Internet forwards packets according to the IP destination address, packet forwarding typically takes no place with inspection of the source address. Therefore, malicious attacks or behaviors have been launched with spoofed source addresses. This document defines using RPKI (Resource Public Key Infrastructure) and IPsec (IP Security) to reinforce the security of source addresses in the inter- domain layer. The IETF Secretariat
_______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
