There might soon be a new standard that makes IP Security VPNs more secure and easier to configure.
After two years of deliberations, a committee of the Internet Engineering Task Force (IETF) is almost ready with a proposal to replace Internet Key Exchange (IKE), the protocol that manages encryption keys under the IPSec standards.
The group was looking at revising IKE because it was deemed theoretically at risk of attacks, although no successful exploit has ever been reported.
Part of its weakness stems from the fact that it is complex. In other words, attackers have more components to try to crack. The complexity also makes it more difficult for vendors to sync up their implementations with those of other vendors. Interoperability problems make it more difficult to create VPN tunnels with business partners that have bought VPN gear from different vendors.
The new proposal, called IKEv2, would be less flexible than IKE, but that is the price of simplicity. This streamlining of the protocol also would be reflected in the configuration parameters of VPN equipment: with fewer parameters to set, configuration would be less time-consuming. With fewer fields to fill in, there also would be less opportunity for human error that could take a lot of effort to uncover and correct.
At its recent meeting, the IETF working group on IPSec declared the draft of the IKEv2 proposal ready for publication, with a vote on it to follow shortly after that.