**Session Date/Time:** 26 Jul 2023 22:30 # ipsecme ## Summary The ipsecme working group session covered a wide range of topics, including document status updates, presentations on various draft proposals, and discussions on potential solutions to existing IPsec problems. Key areas of focus included optimized IKEv2 exchanges, hyperscale IPsec, DSCP-based traffic selection, fragmentation handling, header compression, and alternative approaches to replay protection. Several action items were identified, and the need for further discussion on the mailing list was emphasized. ## Key Discussion Points * **Document Status:** Updates were provided on RFC publications and documents in the RFC editor queue. Reminders were issued regarding working group last call for "Unown Speech" and the need for security considerations in the "TS Palos optional" draft. A query was raised regarding the status of the "Multi-SA Performances" draft and whether objections had been resolved. * **Optimized IKEv2 Exchanges:** Discussion centered on updating RFC 7296 to allow notify messages without an SA payload, handling PFS in initial child exchanges, and appropriate error code selection. Turo Kevonen suggested limiting the use of optimized IKEv2 to specific scenarios. * **Hyperscale IPsec (ERPI):** Concerns and solutions surrounding large scale deployments, including replay protection challenges were presented. Need to port the replay status thing from IKEv1 to IKEv2 was discussed. Joel Halpern invited participation in the SAVNET working group. * **DSCP-Based Traffic Selection:** Daniel presented a draft on negotiating security associations based on DSCP values. Questions were raised regarding the rationale for using DSCP as a selector and its relationship to existing IPsec architecture. * **Fragmentation Handling:** Daniel also presented on mechanisms to mitigate fragmentation, including messages to inform the ingress gateway when fragmentation occurs. Kristen pointed out potential issues related to dropping ICMP "too big" messages, and Ben Schwartz suggested leveraging "don't fragment" and PMTUD. * **Header Compression Profile:** Daniel introduced a compression profile based on the generic framework for static context header compression, designed to reduce overhead in VPN scenarios. * **Anti-Replay Sequence Number Subspaces:** Mohsen presented an updated draft using multiple sequence number subspaces for improved performance. The need for IPR disclosures was highlighted. * **Decoupled Transports for IKE and ESP:** Valerie presented a proposal to decouple transports for IKE and ESP, using TCP for IKE and UDP for ESP. * **ESP Problem Statement:** Stephan presented an analysis of ESP problems, focusing on replay protection challenges and identified potential solutions, including disabling replay protection, increasing window size, using multiple SAs/child SAs, and using multiple sub child SAs. ## Decisions and Action Items * **Optimized IKEv2 Exchanges:** The document author should take the discussion points to the mailing list. * **Multi-SA Performances:** Authors to solicit feedback from Valerie and another individual regarding the latest draft version and confirm resolution of prior objections. * **Hyperscale IPsec (ERPI):** Interested parties to reach out to participate in a mailing list dedicated to the topic. * **DSCP-Based Traffic Selection:** The document authors should re-evaluate the use of DSCP as a selector, taking into account concerns raised regarding established practices and configurations. * **Fragmentation Handling:** Document author to re-evaluate packet-too-big notification based on feedback from the group. * **General:** The chair will discuss document adoption with the area director. * **Anti-Replay Sequence Number Subspaces:** Paolo mentioned 3 IPR claims on this. The people involved should reach out to help with clarity on these IPR claims. * **Interim Meeting:** A possible interim meeting to get a somewhat faster cadence was proposed by Paul. * **Clarify charter:** Check with area director on whether draft proposals are within current charter. ## Next Steps * Authors to incorporate feedback from the session into revised drafts. * Working group participants to engage in further discussions on the mailing list. * Chair to consult with the Area Director regarding charter alignment and document adoption. * Explore options for an interim meeting, depending on the interest.