There may soon be a new standard that makes IPSec VPNs more secure and easier to configure.
After two years of deliberations, a committee of the Internet Engineering Task Force met last month and declared it is just about ready to publish a proposal to replace Internet Key Exchange (IKE), the protocol that manages encryption keys under the IPSec standards.
The group was looking at revising IKE because it was deemed theoretically at risk of attacks, although no successful exploit has ever been reported.
Part of its weakness stems from the fact that it is complex. This not only makes it more likely that someone can figure out a successful assault, but it also makes it more difficult for vendors to make their implementations interoperable with those of other vendors. Interoperability problems make it more difficult to create VPN tunnels with business partners that have bought VPN gear from different vendors.
The new proposal, called IKEv2, would be less flexible than IKE, but that is the price of simplicity. This streamlining of the protocol would also be reflected in the configuration parameters of VPN equipment: With fewer parameters to set, configuration would be less time consuming. With fewer fields to fill in, it would also reduce the opportunity for human error that can take a lot of effort to uncover and correct.
The publication of the standard is expected before the IETF's next meeting in March and a vote on the proposal is expected shortly after that. When vendors start implementing it, using IPSec VPNs may be a bit simpler.