[AAA-WG]: IETF 60 meeting minutes
<john.loughney@nokia.com> Wed, 01 September 2004 05:51 UTC
Received: from trapdoor.merit.edu (postfix@trapdoor.merit.edu [198.108.1.26]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id BAA09394 for <aaa-archive@lists.ietf.org>; Wed, 1 Sep 2004 01:51:10 -0400 (EDT)
Received: by trapdoor.merit.edu (Postfix) id 0FF20912CC; Wed, 1 Sep 2004 01:50:57 -0400 (EDT)
Delivered-To: aaa-wg-outgoing@trapdoor.merit.edu
Received: by trapdoor.merit.edu (Postfix, from userid 56) id C51519126D; Wed, 1 Sep 2004 01:50:56 -0400 (EDT)
Delivered-To: aaa-wg@trapdoor.merit.edu
Received: from segue.merit.edu (segue.merit.edu [198.108.1.41]) by trapdoor.merit.edu (Postfix) with ESMTP id 783B3912CC for <aaa-wg@trapdoor.merit.edu>; Wed, 1 Sep 2004 01:50:45 -0400 (EDT)
Received: by segue.merit.edu (Postfix) id 53411843F3; Wed, 1 Sep 2004 01:50:45 -0400 (EDT)
Delivered-To: aaa-wg@merit.edu
Received: from mgw-x4.nokia.com (mgw-x4.nokia.com [131.228.20.27]) by segue.merit.edu (Postfix) with ESMTP id 438DD843ED for <aaa-wg@merit.edu>; Wed, 1 Sep 2004 01:50:44 -0400 (EDT)
Received: from esdks004.ntc.nokia.com (esdks004.ntc.nokia.com [172.21.138.159]) by mgw-x4.nokia.com (Switch-2.2.8/Switch-2.2.8) with ESMTP id i815ogT24326 for <aaa-wg@merit.edu>; Wed, 1 Sep 2004 08:50:42 +0300 (EET DST)
X-Scanned: Wed, 1 Sep 2004 08:48:36 +0300 Nokia Message Protector V1.3.31 2004060815 - RELEASE
Received: (from root@localhost) by esdks004.ntc.nokia.com (8.12.9/8.12.9) id i815maEV028183 for <aaa-wg@merit.edu>; Wed, 1 Sep 2004 08:48:36 +0300
Received: from mgw-int1.ntc.nokia.com (172.21.143.96) by esdks004.ntc.nokia.com 00n4SCfI; Wed, 01 Sep 2004 08:48:25 EEST
Received: from esebh002.NOE.Nokia.com (esebh002.ntc.nokia.com [172.21.138.77]) by mgw-int1.ntc.nokia.com (Switch-2.2.8/Switch-2.2.8) with ESMTP id i815mJY11342 for <aaa-wg@merit.edu>; Wed, 1 Sep 2004 08:48:19 +0300 (EET DST)
Received: from esebe005.NOE.Nokia.com ([172.21.138.45]) by esebh002.NOE.Nokia.com with Microsoft SMTPSVC(5.0.2195.6881); Wed, 1 Sep 2004 08:48:10 +0300
Received: from esebe056.NOE.Nokia.com ([172.21.143.51]) by esebe005.NOE.Nokia.com with Microsoft SMTPSVC(5.0.2195.6881); Wed, 1 Sep 2004 08:48:09 +0300
X-MimeOLE: Produced By Microsoft Exchange V6.0.6487.1
content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Subject: [AAA-WG]: IETF 60 meeting minutes
Date: Wed, 01 Sep 2004 08:48:09 +0300
Message-ID: <3CF661B1787ABF41A869BE20108F8D6D0891C2@esebe056.ntc.nokia.com>
Thread-Topic: IETF 60 meeting minutes
Thread-Index: AcSP50NEg7Ov/fdlSuaXt6lVlOcy9A==
From: john.loughney@nokia.com
To: aaa-wg@merit.edu
X-OriginalArrivalTime: 01 Sep 2004 05:48:09.0150 (UTC) FILETIME=[42A455E0:01C48FE7]
Sender: owner-aaa-wg@merit.edu
Precedence: bulk
Content-Transfer-Encoding: quoted-printable
AAA WG meeting Tuesday, August 03, 2004, IETF-60, San Diego Minute taker: Lakshminath Dondeti, ldondeti@nortelnetworks.com +++++++++++ NASREQ: some comments off the mike Diameter: waiting for Allison M., comment Diameter EAP finished WG last call DIAMETER-SIP and aaa-uri in AAA WG last call First session presentations: Diameter EAP: Pasi E. first WGLC ended in Seoul meeting Clarifications Which application id to be used. Open: issues 465-7 Proposal to incorporate 465 and 466 , but not 467 Send to IESG %no discussion +++++++++++++++++ EAP key management issues: Bernard, A. Review of the doc: participants: EAP peer (multiple ports), Authenticator w/ multiple ports, and then the AS 0 Discovery 1 Authentication 1a EAP auth 1b AAA key xport 2 SA establishment 2a unicast 2b multicast Conversation: Requirements: Outlined by Russ H at IETF-56 Algorithm independence, fresh and strong keys, replay detection, authenticate all parties. + perform client and NAS authorization + Maintain confidentiality of sess keys + confirm selection of best suite + address cascading vulnerability problem + bind key to ctxt *Some relate to AAA* EAP: media, method and ciphersuite independence Types of EAP keys: calculated locally, exported by EAP method, etc., EAP key hierarchy: changes: long term credential Key naming: MSK, EMSK, AMSK, AAA-Key Key lifetime issues: negotiation, out of band mgmt Lifetime mgmt: Transient EAP keys existing attr: session-timeout AAA-Key caching Glenn Z., force key lifetime to be of the same lifetime as the session can't have a key lifetime shorter than session lifetime Bernard: can conceivably do rekeying during a session do you rekey or reauth to renew? G Z: force rekey and reauth to be the same Pasi E: since EMSK is between client and AAA server; they talk EAP, which does not separate reauth and rekey. B A: in WPA can rekey without reauth Jari A: that's a rekey at a lower layer B A: need to be clear about what is being rekeyed Pat C: PMK rekey vs. PTK rekey B A: w.r.t exported keys there is no rekey without reauth (Transient keys can be rekeyed) G Z: in EAP that's true; from AAA pov it's not true. e.g., session timeout is forever; but we want to change key without reauth B A: this is not the same as fast resume J A: problem with AAA rekeying GZ proposes is that we need a new mechanism P E: EAP can't do that! J A: it's DIAMETER EAP; probably something that can be done in the future; not in any of the current WG docs ??: not good to cache EMSK J A: can you explain that? If you don't cache the EMSK, when can the app request an AMSK ??: app based J A: how would that work: chick and egg problem ??: discuss in B A: EAP WG more on this at the EAP WG ... ++++++++++++++++++++++++++++++++++ Glenn Z: Alternative EAP keying approaches. 1. RADIUS-keywrap Govt requirements This makes it easy for companies to sell to govt bodies: Just use IPsec does not work: run RADIUS over IPsec; hardly anyone supports it does not authenticate to a process which you are speaking vulnerable to Trojans (talking to right box, without the right server/process does not work) Is not possible for an app to know that IPsec is running; need verifiable security. App layer security is better. Pasi E: widely known that IPsec for app layer security does not work. G Z: IPsec might require a PKI for "proper" operation J A: keywrap is better. Works for DIA/RAD. key protected by TLS can be "keywrap"ped. P C: NIST approval is still harder. MD5 is still used G Z: no there is no MD5 2. RADIUS-keyreq EAP rekeying and authentication are the same operation. AAA client authenticating to server or vice versa, and needs a new key is the app being considered. J A: Q: Is this not going to be applied for RAD/DIA? G Z: can't think of why not? J A: we are not doing another keying model! ??: Missed some discussion between Bernard and Glen John L: does not impact RAD/DIA. So, no updates needed there. ++++++++++++++++++++ 2nd session ++++++++++++++++++++ Diameter Mobile IPv4: 18 & 19 Addressing IESG comments ++++++++++++++ NASREQ-17: fixing last minute issues/bugs, and addressing IESG review doc going to the RFC editor Changes: issues: 464, 466, 468 ++++++++++++++ CC-05: Addressing Allison M.'s discuss: I: Too 3GPP specific A: AVPs are extensible I: need to think broadly about SIP A: will add text I: Message flow diags too 3GPP specific A: will update to be more general IANA issues TB addressed Ted H Discuss: I 4.1 needs clean up: guidelines for interoperability A: proposed text ok'ed I: 5.5 I: credit fragmentation (has been cleared) > Allison's Discuss needs to be resolved G Z: add service id AVP Glenn Z: don't understand how this is expected to work thru anything other than a case where there is a direct connection with a BCC server. Dropping that issue, but that was the issue. ++++++++++++ AAA-URI: Updating 3588 -01- in WGLC, ending Aug 18th; please send comments latest changes are editorial; no known open issues ++++++++++++ Diameter-SIP-03 in WGLC, ending Aug 26th need comments need to analyze comaptibility with draft-sterman-aaa-sip B A: last opportunity to review; this will be deployed widely, so please review. will request SIP & SIPPING WG for review changes: SIP registration -> SIP soft state management -> digest-expected-response AVP updatd: authentication details section Please use the issue tracker: http://danforsberg.info:8080/draft-ietf-aaa-diameter-sip/ e.g., open issue 14: support for qop=auth-int SIP UA <--> SIP server <---> Diameter server SIP server creates the hash upon indication from DIAMETER server. ++++++++++++ DIAMETER QoS application why? % Authn Authz for QoS req, and Acc for QoS reservations More discussion in NSIS interface to app servers: allow them to dynamically authorize/de-authorize flows propogate knowledge of bearer flows ... Without this: every QoS routing domain deploys an app server with this: subscriber DB <-> diameter cloud <-> app server ^ | v Bearer entity advantages: uniform interface etc lot of open issues ... need to carry authentication for NSIS ??: don't understand your QoS diagrams/model A: please send comments to AAA list of NSIS list J. L: as NSIS WG co-chair: need something like this in NSIS; not sure this fits exactly B A: after negotiation, what if a "big fish" kicks you off J. L: hum interested: several folks not interested: none (inaudible) will talk to Allison M on how to progress individual I-D, sponsored by her; will run WGLC process in AAA WG. this was agreed upon by other chairs and the author. ++++++++++++++++++++++++++ This will/could be the last meeting of the AAA WG. The mailing list will continue to exist. There may be a subsequent DIAMETER maintenance WG.
- [AAA-WG]: IETF 60 meeting minutes john.loughney