I have been asked to review draft-ietf-ippm-ipsec-08 for operational purposes. Fair disclaimer: I don’t claim to be a security expert. I would look for that review from the security directorate. I would say that, for what this intends to do, it is ready to go. With respect to the questions in http://tools.ietf.org/html/rfc5706#appendix-A.1 , this is a mechanism that might be used among consenting adults. The question of how it might interact with an implementation that doesn’t conform to the specification (for example, doesn’t implement IPsec) is not especially addressed; a fair supposition is that it would not work. However, if both ends support i, it provides a means to generate a temporary key from IPsec keying material exchanged using IKEv2 as opposed to requiring prior configuration. That is likely to improve deployability over present mechanisms. Attachment: signature.asc Description: Message signed with OpenPGP using GPGMail