[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Preliminary minutes from the WG meeting
Greetings again. Here are the preliminary minutes from the WG meeting
last week. Please send any corrections to the list so that Ted and
Barbara can turn in the correct minutes for the proceedings. Please
do *not* reply to this message to discuss topics from the meeting;
instead, start a new thread.
--Paul Hoffman, Director
--VPN Consortium
IPsec WG meeting
1300, November 10, 2003
Ted Tso and Barbara Fraser chaired the meeting
Paul Hoffman took these minutes
Agenda was bashed lightly
Document status
Publication Requested (waiting for Russ Housley's review)
IKEv2
IKEv2 algorithms
IKEv2 UI suites
Waiting for IESG telechat
AES CCM
AES XCBC PRF
NAT Traversal
RFC Editor queue
AES CTR mode
Dead
All MIBs except the flow monitoring MIB
Back from the IESG, returned with changes
DPD
NAT requirements
Need new drafts
Need IANA registry seeding -- secretarial work
Michael Richardson volunteered
Many other drafts have minor changes such as references
2402bis and ESPv3 needs a document of required algorithms
Donald Eastlake volunteered
Ongoing work
2401bis, which is what we will talk most about today
RFC 2401 issues
Seven open issues from the issue tracker
Also will discuss the revised processing model
Issue 82 -- Creation of SAs
Needs better text
Text is available, not yet in the issue tracker
Issue 85 -- What to do when you have an inbound packet
if as a valid SA but not in the selectors
Use an ICMP message, or use an IKEv2 message?
2401 is tied to IKEv2, so we can add to IKEv2 for this
David Black supported using the IKEv2 method
Michael Richardson concurred
Issue 88 -- Mark Duffy proposed lifting the prohibition on
red-side fragmentation by the SG
Intervening gateways might fragment anyway
Bill Sommerfeld pointed out that you might be defragmenting
from different SAs
Michael Richardson pointed out that there is a new PMTU list
has been formed to discuss issues that might impinge on this
Mark Duffy pointed out we couldn't rely on PMTU
Bill Sommerfeld believes we need to discuss this more to make
this doesn't affect future protocols
Michael Richardson wants to make sure we don't break other people's
protocols in the future
Steve Kent sees this as a question of "if we are going to fragment,
what should be the size". We don't know that now, but we can
find that out later.
Ted wants people to think hard about it this week. 10ish thought
we should adopt it now, 10ish wanted this week to think about
it. We will accept the resolution unless a group comes back
within a week.
Issue 89 -- Misunderstanding about the use of selector name
New text is going to come this week
Issue 90 -- Removed the selector "data sensitivity level"
We don't have a way to negotiate it in IKEv2
Bill Sommerfeld agrees on cutting it out as long as those
who want it can add it later
Michael Richardson pointed out that there is lots of other things
that we cannot yet negotiate that we might specify later
Straw poll: many in favor, no opposition
Issue 91 -- Handling ICMP error messages
Some people think the text is complicated
ASCII diagrams only reflect tunnel mode
Request to look at issue 91 closely
Michael Richardson thinks that it is important it gets done, and
that the text is going in the right direction. It might
be revised later after people adopt it.
This is specified as a local implementation choice
Paul Hoffman reported that he has seen unprotected ICMP messages
cause gateways to do unpredictable and mysterious stuff
Bill Sommerfeld said we should have recommended initial values for
a couple of ICMP types, maybe with a GUI suites style
Revised processing model
Steve Kent described the new model in 2401bis
No longer say that SPDs are tied to particular interfaces
You can support as many as you need for your context
Most folks will have just one
Forwarding decisions are separate from SPD selection
Many diagrams were shown and described
Some of the diagrams will appear in the document as ASCII art
Gregory Lebovitz asked about whole-system implementation that
includes more than just IKE/IPsec
Bill Sommerfeld made sure that "interface" could be part of an API
Steve talked about decorrelating SPD entries into sub-entries
Allows caching of the SPD for greater speed
Can cause the database to get much bigger, but usually doesn't
There are asymmetries between inbound and outbound processing
Showed a photo of a pied oyster catcher (Haematopus ostralegus)
Asked for questions
Next step is to fold today's discussion into the next document
Steve will try to come up text about who can assert identities
Bill Sommerfeld liked that idea
Proposed timeline for 2401bis from the WG chairs
Close all issues by Nov. 30th
Final draft of by December 15
Start WG last call December 15 through January 10
Please comment as soon as possible on the issues above
Strong identity protection using hidden credentials
Presented by Hilarie Orman
Was presenting this now because the WG is about to shut down
Identity protection in IKE was an original requirement for IKE
The current methods are unsatisfactory
Don't work against a MITM
Always complicate the protocol
New ideas based on Identity-Based Encryption
The idea was originally proposed by Shamir around 1985
This is recent work by Boneh
Steve Kent brought up some issues that were taken off-line
Not that different than having to know the CA, but with
big downsides
Basic idea: the public part of the key is based on the identity
Key protocol remains simple
Neither party actual discloses whether they are in the same group
Simplifies key management
Uses a very different model than we are used to
One party must generate all the private keys for a group
These private keys must be distributed securely
IPR issues
Stanford has main patent, are thought to be generous
Uses elliptic curve, which has additional IPR
Might be able to use non-EC methods
Could be a possible modification to IKE
Richard Graveman had comments
The trusted key can be split
There are additional implementation ideas that might apply
Could maybe use identity-based signature schemes
This allows one CA per policy
Lauri Tarkkala asked if identity protection is worth the tradeoff
of not generating your own private key
Camillia algorithm update
Presented by Akihiro Kato
Camillia is a 128-bit block cipher
Has been scrutinized for a few years
Already accepted as proposed standard in S/MIME WG
Included in the NESSIE portfolio
Already has IPR statements in the IETF directory
Angelos Keromytis asked about hardware acceleration
Asked why it might overtake AES
Not expected to overtake AES in most places
Some people talked about having only one algorithm
If people want this to be more than just a MAY, they should
talk about it on the list
BEET -- Bound end-to-end tunnel
Presented by Pekka Nikander
Background
Separating endpoint identifiers and locator
There are many proposals for this
It uses a transport mode header but has tunnel semantics
Has its own BEET SAs
Like transport mode plus HostNAT idea
Saves header bytes, especially in IPv6: about 50% if ROCH is used
Useful for wireless
Step towards separating identifier and location
Inner addresses are the identifiers
Outer addresses are the locators
Important for a new architecture
Objections and their deflections
Unnecessary complexity
Adding to KAME stack only took an extra 100 lines
Hard to add to existing implementations
It's OK to be optional
Adding a PF_KEY extension to look for it
Not needed
But many people are thinking about things like this
New mode for ESP
Proposed as an extension to ESP
Would need a change to IKEv2
Does not need to change ESP specification, but would duplicate
ESP and 2401 semantics for BEET
Can be considered as an extension to IPsec (or ESP)
Francis Dupont said that it is better just to use compression
in ESP instead of this
Related BOFs this week
IKEv2 Mobility and Multihoming -- mobike
Profile Use of PKIX -- pki4ipsec
Request for review of the channel bindings draft, which was later
presented in the SAAG meeting
Barbara said it was probably our last meeting; people applauded
Ran out of time, ran out for cookies