Re: IPsec Minutes from Montreal

["PALAMBER.US.ORACLE.COM" <PALAMBER@us.oracle.com>]

Ashar, 
 
Your constructive comments on the minutes were received and an updated set of 
minutes reflecting your clarifications have been prepared (last week 
actually).  They will be posted soon. 
 
>I can understand that the minute writers (I assume that this 
>included the chairs) have personal opinions about the competing  
>proposals. May I request, however, that the meeting minutes not  
>be used as the forum to promulgate these opinions, when they  
>don't correspond to events that transpired at the meeting? 
 
As one of the chairs, I can honestly say that we do not use the minutes to 
promulgate opinions.  We are quite lucky to have various contributions of 
notes each meeting to capture the events. We are lucky just to get minutes 
out.   IPsec has been having some very "eventful" meetings, so it is likely 
that all of the details may not have been captured.  There are also 
differences of opinion that can be hard to capture.  For example: 
 
>First, the SKIP PFS exchange requires 2 messages, not 4-6.  
>This is what I presented at the talk, and is present in 
>the SKIP PFS I-D.  
 
It is true that your presentation claimed that SKIP PFS exchange takes 2 
messages.  It is also true that other members of the working group claim that 
SKIP PFS takes 4 to 6 messages.  So depending on who you ask the answer is 2 
to 6 messages.  I am sure that this confusion will be resolved by the working 
group, but it is difficult to document in the minutes this type of difference 
in opinion. 
 
>About two weeks ago I sent the following protest ... 
 
The chairs (Ran and myself) appreciate contributions and comments, but please 
calm done and quite complaining.  The minutes have been improved by the 
clarifications you recommended and "protesting" is unnecessary. 
 
 
Regards, 
 
 
Paul 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
Paul Lambert                     Director of Security Products 
Oracle Corporation               Phone:         (415) 506-0370 
500 Oracle Parkway, Box 659410     Fax:         (415) 633-2963 
Redwood Shores, CA  94065       E-Mail: palamber@us.oracle.com 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
"Secure Jobs"  ->  send resumes to: palamber@us.oracle.com   
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

-- BEGIN included message

• To: ipsec@tis.com
• Subject: Re: IPsec Minutes from Montreal
• From: "Ashar Aziz <ashar@osmosys.incog.com>" <ipsec-request@neptune.hq.tis.com>
• Date: 13 Sep 96 16:52:16
• Sender: ipsec-approval@neptune.hq.tis.com

About two weeks ago I sent the following protest regarding the
Montreal meeting minutes to the IPsec chairs.  I haven't seen
a correction posted or received any response to my message.
Since the minutes went out on the ipsec mailing list, I would
like to make my objections known here also.


-----------(Begin Forwarded Message)--------------------------
From:                  <ashar>
To:                     palamber@us.oracle.com, rja@cisco.com, jis@mit.edu
Subject:           Re: IPsec Minutes from Montreal
Date sent:            Tue, 3 Sep 1996 17:07:12

Folks,

I would like to protest at the way the meeting minutes were
reported for the ipsec Montreal meeting. Although these
were published a few weeks ago, I have only recently had
a chance to catch up to the postings on the ipsec list.

IMHO the meeting minutes should reflect what transpired, and
not be editorialized with the minute writer's personal views
of the various proposals. 

Also, when there are competing proposals, I believe some 
consideration should be given to fairness in the way the various 
proposals are described. I refer specifically to the use of 
adjectives such as "significant overhead", "hard to implement 
and scale" and "claimed" support of multicast when describing 
SKIP. By contrast, adjectives used for ISAKMP/Oakley are 
"very general", "very flexible", etc.

In addition, I have the following very specific objections to 
the minutes, which I am submitting for the record.

> From ipsec-request@neptune.tis.com Mon Aug  5 16:56 PDT 1996
> The minutes of the last IPsec Working Group were posted to the IETF weeks ago 
> and have yet to appear in the official archive.  For those of you that missed 
> attending the meeting in Montreal the minutes are attached below. 
>  
>  
> Regards, 
>  
> Paul 
> -------------------------------------------------------------- 

> 	Ashar Aziz presented SKIP.  Note the use of the SKIP header 
> between IP header and AH or ESP.  Two modes of use: the first mode has no 
> setup messages once the master keys are in place, no Perfect Forward Secrecy, 
> and has significant per-message overhead.  This mode relies on pre-positioned 
> D-H master keys from which unicast keys are derived.  The second mode uses 
> ephemeral Diffie-Hellman, with certificates, in a 4-6 message exchange, with 
> approximate PFS, anonymity, etc.  Claimed multicast mode support is based
on a 
> group co-ordinator creating a group key (distribution of the private key to 
> group members is not described here and is potentially hard to implement or 
> scale) which the sender uses as the target for Diffie-Hellman computation. 
> Checkpoint, Toshiba, ETH, Sun have interoperable implementations of SKIP, 
> based on recent testing.  Some gaps in the SKIP-06 spec were uncovered, and 
> are being fixed in the next draft.  Ashar pushed for adoption of the 
> certificate discovery protocol (CDP) independent of SKIP.  Also can move CRLs 
> as well as certificates, not just X.509 certificates, but PGP too. 
>  

First, the SKIP PFS exchange requires 2 messages, not 4-6. 
This is what I presented at the talk, and is present in
the SKIP PFS I-D. 

Second, I don't understand what "approximate PFS" means. Is
this a new term? If so, I would like to be enlightened,
with perhaps some reference to the relevant literature.
In any case, this is not a term that I used, and not
something that come up during the discussion.

Third, wrt "claimed" multicast support, distribution
of group private key WAS described at the meeting. In fact more
than one way of distributing the group private key was
described. One of these used an exanding ring multicast
search, which gets around the single node responsible
for distributing the group private key. In any case, there
were no comments about "difficult to implement" or
"scaling" at the meeting, and therefore it would have
been more pleasant to not find these in the meeting minutes
(which I assume are the minute writer's personal views).

Same comment wrt "significant per message overhead" description.
This was not something that came up at the meeting, and
is a subjective evaluation. Again, I assume this is a personal
opinion of the minute writer and not something that should
be part of the meeting minutes.

Also, the group private key is not used as the target
for any Diffie-Hellman computation. This is simply a
misunderstanding of the protocol on the part of the minute
writer.

> 	Doug Maughan reported on ISAKMP.  Free software is available via MIT 
> server at http://web.mit.edu/network/isakmp.  

And finally, we also have free software which we mentioned at
the meeting, and gave the URL to. In fairness, perhaps it too 
should have been in the meeting minutes for the benefit of those 
who couldn't attend?

I can understand that the minute writers (I assume that this
included the chairs) have personal opinions about the competing 
proposals. May I request, however, that the meeting minutes not 
be used as the forum to promulgate these opinions, when they 
don't correspond to events that transpired at the meeting?

Ashar.

-- END included message

---

• Prev by Date: Re: Using SKIP as inspiration, not as gospel
• Next by Date: No Subject
• Prev by thread: Re: IPsec Minutes from Montreal
• Next by thread: Re: IPsec Minutes from Montreal
• Index(es):
  • Main
  • Thread