[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Minutes for the Washington IETF meeting

To: ipsec@tis.com
Subject: Minutes for the Washington IETF meeting
From: tytso@MIT.EDU
Date: Sun, 18 Jan 1998 09:38:58 -0500
Address: 1 Amherst St., Cambridge, MA 02139
Phone: (617) 253-8091
Sender: owner-ipsec@ex.tis.com
Hi all,
	My apologies for the lateness of these minutes.  As I mentioned
before, I had to reconstruct the minutes from notes that were taking,
since we had neglected to appoint a scribe.  My thanks to John Linn,
Richard Graveman, and Tatu Ylonen for graciously sending me copies of
their notes; this was a great help in creating these minutes.

	If you could look over these minutes and offer any corrections
quickly, I would appreciate it.  The deadline for the submission of
minutes is fast approaching.  Thanks!

							- Ted


IETF Munich IPsec Working Group Meeting Minutes

The IPSEC working group met on Tuesday, December 9th, 1997, at the
IETF meeting in Washington, D.C.

The Agenda was as follows:

Agenda Review				1545-1550
Results of the Document Reading Party	1550-1620
Next Steps on Documents			1620-1630

IPSECOND issues

Multicast key management		1630-1645
Policy management			1645-1705
Tunnel Management			1705-1710
MIB 					1710-1715
IANA Registration			1715-1720
IPSECOND Scoping			1720-1735

The following items were added to the agenda:

	SSH ISAKMP test web page
	Next workshop
	SecureID Draft Convergence


Results of the Document Reading Party
=====================================

Bob Moscowitz reviewed the procedure which we followed the previous
night to review the documents.  

In total, approximately 25-30 people attended, and split up into teams
to review sets of two or three documents, checking for consistency
amongst the set of the documents, as well as problems internal to the
documents.  Notes from the various teams were collected, to be
published to the IPsec mailing list.

A large number of issues that were identified were related to the
Architecture document, and Stephen Kent presented those issues in his
presentation.  (Slides to be included in the minutes.)

Next step on documents
======================

There are currently a set of 12 documents.  Document editors will make
another last set of changes, ask for comments to the list, and we will
be entering last call on the documents very shortly.


Multicast key management
========================

Dan Harkins from Cisco and Naganand Doraswamy from Bay Networks
presented a proposal for a multicast key management, MKMP.  

MKMP is intended to provide scalable and secure distribution of
multicast keys.  It assures liveness, key doesn't cross wire (even
encrypted), except on rekey operation.  Routers do not need join
secure multicast group, and it is independent of underlying m-cast
routing.  MKMP uses IPsec to secure multicast traffic and
ISAKMP/Oakley-type messages for KM.  MKMP-aware routers can become Group
Key Distributors; the Group Information Tuple enforces access and
delegates key distribution authority.  Uses an ALL-MKMP-BOXES
group. Key acquisition is separate from group join. To create a secure
group, group key manager creates key, list of candidate key
distributors, and access control info.  Periodic key distributor
solicitations sent to multicast group address; if message reaches
candidate group key distributor, it obtains key from group key manager
using key distribution protocol.  Only routers already on the
distribution tree become GKDs.  Next steps are to clean up and issue
draft MKMP specification.  MKMP may require a separately chartered WG,
but won't be considered by IESG until current IPsec docs passed.

Policy management
=================

Policy means different things to different people.  It was referenced
in the original documents, but there was only modest support in the
protocols.  Does there need to be a protocol to support policy
management?  Straw poll indicates a modest number of people agrees.
Someone pointed out that there is ongoing work in this area within the
Radius group.  Others are concerned that this is not purely a protocol
issue, and that policy management may not be well understood enough
for us to design a protocol, let alone standardize it.  BBN has some
on-going work in this area.  IBM also is doing some work in describing
policies within LDAP.  Note: this area can be an unbounded research
topic unless strict requirements are used to bound the problem.


Tunnel Management
=================

There have been several drafts that have been submitted on this topic.
There is some overlap between tunnel management and the work in the
VPN BOF.  Someone from Timestep commented that we must understand what
we want to accomplish, we must do this in a standard way so that we
don't have all these proprietary methods to configure.

MIB
===

There's not much to say about MIB's, except that one is required for
elevation to Draft Standard.  (Since we will be elevating the current
drafts to Proposed Standard, this is not an immediate issue.)  Rodney
Thayer and Uri Blumenthal are interested in working on this.

IANA Registration
=================

Rodney is looking into the requirements for IANA registrations; we
need to specify procedures for allocating algorithm identifiers for
the future.  [Note: after the meeting, I have learned that we need to
this before we the drafts go to the IESG.  This is an issue which
can't wait for IPSECOND. --- Ted]

IPSECOND Scoping
================

Ted then led a brain-storming session about future work
items which should be included in the IPSECOND work.  The following
items were identified by the working group as being additional items
follow-on work should consider.

  - agenda discussion moved to mailing list
  - question about SNMP
  - "i have a solution" guy, draft: draft-ietf-firewallmib-19.txt?
  - JI: IPsec currently good for vpns and remote access; several
    efforts in other groups to secure individual protocols.
    How can we take out the security done in other protocols, and make
    them use IPsec?
  - Dan McDonald (Sun's IPsec guy): being good for vpn's isn't the way it
    was designed, this is how it was implemented
  - Eric Rescorla: using IPsec may not be feasible for application
    protocols, even though you may be able to use IPsec key management
    for them
  - disa guy: suggests focusing exclusively on IPv6


ISAKMP test web page
====================

Tero Kivinen gave a presentation of an ISAKMP test web page which has
been made available by SSH Communications Security in Finland.  The
URL for the web page is: "http://isakmp-test.ssh.fi/".  All of the
popular algorithms are available.  For demonstration purposes can be
used to test against itself.

In answer to questions about future interoperability sessions, Bob
Moscowitz indicated that while the ANX (as a customer) was not
intending to sponsor any further interopability sessions, other
vendors are stepping up to sponsor these activities.  Other
interoperability session is being planned for mid-Febuary; Cisco as
offered facilities for this session.

SecureID and ISAKMP
===================

Roy Pereira from TimeStep had published an ISAKMP/SecurID integration
I-D shortly before the meeting.  There is another I-D written by New
Oak as well.  The authors are planning to align the drafts.
Prev by Date: need some food?
Next by Date: Re: implicit padding for authentication
Prev by thread: need some food?
Next by thread: Your questions
Index(es):
- Main
- Thread