[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Minutes from the Chicago IETF meeting




Enclosed please find meeting minutes from the Chicago IETF IPSEC working
group meeting.  My apologies for the delay in getting these out.

I'd appreciate getting any comments on this within the next week
(earlier if possible), so I can get these submitted to the IETF
Secretariat as soon as possible.

Thanks!!

						- Ted

P.S.  This is also available on the web as:

	http://web.mit.edu/tytso/www/ipsec/chicago/

which includes the Luis Sanchez's slide presentation on Security Policy
Management. 


    Chicago IETF (August, 1998) IPsec Working Group Meeting Minutes

The WG met on Tuesday at the IETF meeting in Chicago, from 14:15 to
15:15.  Approximately 120 people attended.  This was MBONE
broadcast.

The Agenda was: 

	* Workgroup status
	* Workshop announcement
	* Charter revision
	* Discovered problems with Ipsec/IKE based on current implementation 
		experience --- Lifetime discussion
	* ICMP messages, standardized error codes, and MIBs
	* Policy/tunnel endpoint discovery
	* Policy-based Security Management

Workgroup status
================

Ted gave a report on the status of the IPSEC working group.  The full
suite of Internet Drafts have been approved by the IESG.  They are
currently being processed by the RFC editor and should be published
shortly.  It is now time to revisit the IPSEC charter since we have
met almost all of the goals and milstones in the original charter.

Workshop announcement
=====================

Microsoft will be sponsoring an IPSEC interoperability testing
workshop in Redmond on Aug 31 -- Sep 3rd.  Approximately 20-25
companies have signed up for the workshop.  William Dixon
(wdixon@microsoft.com) is the contact person for this workshop.

IBM is also sponsoring another round of interoperability testing in
Binghamtom, NY on October 27--30.  This test will also include L2TP.
The $300 fee has been waived by IBM.

Charter revision
================

Bob Moskowitz led a discussion on new items for work goals for revising
the charter.  These items included:

<UL>
<LI> address errors and improvements; errata to be maintained on MIT web site 
<LI> add functionality
<LI> remote client support
<LI> policy and tunnel endpoint discovery (Bill Simpson votes to remove, since
this is a complex non-security issue already being dealt with elsewhere)
<LI>  complex tunnel management
<LI> ICMP messages, error codes, MIBs
<LI> Additional algorithms 
<LI> IPsec over non-IP protocols (IPX? "Running shoes?")
<LI> Key recovery: excluded to the sound of cheers and hisses
<LI> Integration of IPsec and certificate frameworks, DNSsec
<LI> Cleaning up the host-host (non-VPN) case; not sure what's missing
<LI> results implemented from Secure Multicast IRTF activity
</UL>

The working group chairs will compose a new proposed charter based on
these suggestions, and present it to the working group.

Lifetime discussion
===================

Although there is a default value established for Phase 2 lifetimes,
there is no similar default for Phase 1 lifetimes.  There is
unfortunately is conflicting interpretations regarding how to proceed
in the absence of an explicitly specified PHase 1 lifetime.  There is
an optional notification facility, but it's unclear what happens if
the notified value ins't acceptable.  There is an interoperability
impact caused by this underspecification.  (This will need to be
corrected in a protocol errata.)

ICMP messages, standardized error codes, and MIB's
==================================================

Michael Richardson gave a presentation on a two problems which he has
been concentrating on.  One is the issue of Path MTU discovery across
a IPSEC tunnel; which could be ignored in IPV4, but not in IPV6.
(Since IPV6 drops packets greater than the MTU, instead of fragmenting
them; on the other hand, the IPV6 minimum MTU is also much bigger, so
perhaps the problem can be ignored).  

The other area of concern is ICMP messages and IPSEC, to support
diagnostic tools such as traceroute and PING.  

Policy/tunnel endpoint discovery
================================

Roy Perieira has some drafts forthcoming which will cover IPSEC policy
and tunnel endpoint discovery issues.  These include how a new machine
on the network bootstraps itself by obtaining its first policy, and
secure route discovery in the face of complex topologies and multiple
secure paths for load-balancing and/or redundancy.

Policy-based Security Management 
================================

Luis Sanchez gave a presentation on some Security Policy Management
going on at BBN.