IPsec Channels: Connection Latching
RFC 5660, “IPsec Channels: Connection Latching”, is a Proposed Standard document published in October 2009 by N. Williams. The canonical text is published by the RFC Editor.
Abstract
This document specifies, abstractly, how to interface applications and transport protocols with IPsec so as to create "channels" by latching "connections" (packet flows) to certain IPsec Security Association (SA) parameters for the lifetime of the connections. Connection latching is layered on top of IPsec and does not modify the underlying IPsec architecture.
Connection latching can be used to protect applications against accidentally exposing live packet flows to unintended peers, whether as the result of a reconfiguration of IPsec or as the result of using weak peer identity to peer address associations. Weak association of peer ID and peer addresses is at the core of Better Than Nothing Security (BTNS); thus, connection latching can add a significant measure of protection to BTNS IPsec nodes.
Finally, the availability of IPsec channels will make it possible to use channel binding to IPsec channels. [STANDARDS-TRACK]
What “Proposed Standard” means
An entry-level standards-track specification: stable, peer-reviewed and a solid basis for implementation, though it may still evolve before becoming an Internet Standard.
The canonical text of RFC 5660 is hosted at rfc-editor.org. Available in TXT,HTML.
- RFC 5659 An Architecture for Multi-Segment Pseudowire Emulation Edge-to-Edge
- RFC 5658 Addressing Record-Route Issues in the Session Initiation Protocol
- RFC 5657 Guidance on Interoperation and Implementation Reports for Advancement to Draft Standard
- RFC 5656 Elliptic Curve Algorithm Integration in the Secure Shell Transport Layer
- RFC 5655 Specification of the IP Flow Information Export File Format
- RFC 5654 Requirements of an MPLS Transport Profile
- RFC 5653 Generic Security Service API Version 2: Java Bindings Update
- RFC 5652 Cryptographic Message Syntax