The Internet Engineering Task Force soon may sort out how to replace the standard protocol that manages encryption keys for IP Security VPNs with one that could lead to more secure VPNs and to equipment that is more interoperable and easier to configure.
Members of the group have been hashing out differences between two competing proposals to decide which will replace the current standard protocol, known as Internet Key Exchange (IKE).
Neither proposal drew major criticism during discussions on an IETF mailing list during the past week. Rather, discussion focused more on answering individual members' questions.
The alternative protocols, known as IKEv2 and just fast keying (JFK), were proposed last year, but a point-by-point comparison of the two recently posted to an IETF discussion group sparked renewed interest. Initially, IETF members thought they would pick one or the other proposal to go forward with in March, but no decision has been made yet.
Issues that have been raised include whether the proposed protocols are open to certain kinds of attacks and addressing how to make them work across wireless networks.
If no major flaws are found with either IKEv2 or JFK, the IETF IPSec Working Group could poll members to see which proposal they want to pursue.
IKE as it is used today as part of IPSec has been deemed too complicated, which is a barrier to interoperability and a potential security weakness. While no security flaw has been exploited, the complexity of the protocol lends itself to the possibility that a weakness could be found.
A simpler protocol also would mean fewer configuration parameters on VPN gear using it, making equipment setup easier.
RELATED LINKS
Contact Senior Editor Tim Greene
Other recent articles by Greene
IKEv2 overview
In PDF.
