[CGA-EXT] Meeting minutes
marcelo bagnulo braun <marcelo@it.uc3m.es> Sun, 09 December 2007 12:27 UTC
Return-path: <cga-ext-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1J1LGB-0007Bg-V4; Sun, 09 Dec 2007 07:27:51 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1J1LGB-0007Bb-5k for cga-ext@ietf.org; Sun, 09 Dec 2007 07:27:51 -0500
Received: from smtp01.uc3m.es ([163.117.176.131]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1J1LG9-0004JQ-0w for cga-ext@ietf.org; Sun, 09 Dec 2007 07:27:51 -0500
Received: from [192.168.1.129] (165.44.217.87.dynamic.jazztel.es [87.217.44.165])(using TLSv1 with cipher AES128-SHA (128/128 bits))(No client certificate requested)by smtp01.uc3m.es (Postfix) with ESMTP id 968DF285CA7for <cga-ext@ietf.org>; Sun, 9 Dec 2007 13:27:47 +0100 (CET)
Mime-Version: 1.0 (Apple Message framework v752.3)
Content-Transfer-Encoding: quoted-printable
Message-Id: <A9AE6D51-3837-48D2-8632-650642A92988@it.uc3m.es>
Content-Type: text/plain; charset="WINDOWS-1252"; delsp="yes"; format="flowed"
To: cga-ext@ietf.org
From: marcelo bagnulo braun <marcelo@it.uc3m.es>
Date: Sun, 09 Dec 2007 13:27:52 +0100
X-Mailer: Apple Mail (2.752.3)
X-imss-version: 2.049
X-imss-result: Passed
X-imss-scanInfo: M:B L:E SM:2
X-imss-tmaseResult: TT:1 TS:-20.5596 TC:1F TRN:91 TV:5.0.1023(15594.003)
X-imss-scores: Clean:100.00000 C:0 M:0 S:0 R:0
X-imss-settings: Baseline:1 C:1 M:1 S:1 R:1 (0.0000 0.0000)
X-Spam-Score: -2.8 (--)
X-Scan-Signature: 71f780ffdd80c541d3e75aa5f2710d3d
Subject: [CGA-EXT] Meeting minutes
X-BeenThere: cga-ext@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: CGA and SeND Extensions <cga-ext.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/cga-ext>, <mailto:cga-ext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/cga-ext>
List-Post: <mailto:cga-ext@ietf.org>
List-Help: <mailto:cga-ext-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/cga-ext>, <mailto:cga-ext-request@ietf.org?subject=subscribe>
Errors-To: cga-ext-bounces@ietf.org
Hi,
First of all, i would like to thank Suresh and Mikko for the notes!!
I attach the meeting minutes, let me know if you have some corrections.
Regards, marcelo
------------------------------------------------------------------------
-------
CSI BoF Minutes
THURSDAY, December 6, 2007
9:00 - 11:30 - Salon D/E
------------------------------------------------------------------------
-------
AGENDA
1. Agenda, Bluesheets, Note-takers and Jabber scribes 5 Mins
2. Work Motivation, proposed charter presentation
Gabriel Montenegro & Marcelo Bagnulo 30 Mins
3. IPv6 Secure ND implementation report on Cisco IOS
Eric Levy-Abegnoli 10 Mins
4. IPv6 Secure ND implementation report by DoCoMo
Julien Laganier 5 Mins
5. Proxy-SeND
Suresh Krishnan 10 Mins
6. DHCP, CGAs and SeND interaction
Iljitsch van Beijnum 10 Mins
7. Discussion
All 30 Mins
------------------------------------------------------------------------
-------
1. Agenda, Bluesheets, Note-takers and Jabber scribes 5 Mins
Scribes: Mikko Sarela and Suresh Krishnan
------------------------------------------------------------------------
-------
2. Work Motivation, proposed charter presentation
Marcelo presented send status
SeND: limited deployment, considerable potential
Widespread adoption soon expected
A whole bunch of drafts in this area
General areas of work:
- Crypto agility for send (exists for cga)
- Hash function analysis for SEND
- SEND support for proxy ND
- DHCP intergration for CGAs
------------------------------------------------------------------------
-------
3. IPv6 Secure ND implementation report on Cisco IOS by Eric Levy-
Abegnoli
Very few implementation issues
Ready for interop testing now
Main issues
===========
* How to allow non-CGA addresses for routers?
* Issues with DoS attacks using SEND Timestamps
Francis Dupont (FD) thinks the same attack exists against plain old ND
* How to put in many nonces into multicast RAs in response to
multiple RSs?
* Provisional acceptance of certificates causes issues with repeated
CRL checks
* Possible conflicts with RFC4861 behavior
------------------------------------------------------------------------
-------
4. IPv6 Secure ND implementation report by DoCoMo by Julien Laganier
Completely implemented in user space
Downloads steadily going down (total of 67)
Require more people to try this and give feedback
Will try to interop with Cisco IOS
Francis Dupont thinks it is not possible to have a compliant
implementation in
userland. He wants to know if there are plans?
Julien does not think so
ELA explains about not adding entries into NC as an example
Alex Petrescu discusses about software architectures (kernel vs user...)
Jari Arkko (JA) would like to have more implementations (perhaps
kernel+userland
based)
------------------------------------------------------------------------
-------
5. Proxy-SeND by Suresh Krishnan
Problem with proxying and SEND, because SEND assumes that the address
owner and the advertiser are always the same.
Steps to solution:
Separate address ownership and advertiser
Add indication of proxying into SEND packet
Provide mechanisms to establish trust between the proxy, proxied, and
the receiver
------------------------------------------------------------------------
-------
6. DHCP, CGAs and SeND interaction by Iljitsch van Beijnum
Use to distribute Sec values across the network
- is this network policy or host policy?
IvB thinks the main use cases for using DHCP with CGA are
* Offloading hashing for sec>0
* Address registration
* Certificate provisioning
Alex thinks that subnet allocation depends on the discussions in 6man
and dhc wgs
Ill wants to do an analysis in csi and go back to 6man and dhc with
the results
ELA mentions a proposal in dhc for sending send certs with DHCPv6-PD
Jari thinks that that particular proposal has unresolved issues.
Division of work: DHC wg – who ever wants to use DHCP for carrying
new things, has to know its things and DHC will review options, etc. but
don't drive the work. DHCP related things will be studied here, not in
DHC wg.
Jean-Michel Combes (JMC) thinks there are other proposals possible e.g
using BU/BA. He wants a single location to discuss this
JMC thinks that a proxy ND solution needs to address anycast addresses
------------------------------------------------------------------------
-------
7. Discussion
Alex wants to know about IPR
Jari (with disclaimer working for IPR owner) The licenses are
royaltee free
for the base specs
For extensions in this wg we need to deal with them on a case by case
basis
Christian Vogt thinks CGAs are a great tool to get security without
infrastructure irrespective of IPR
IvB and Alex wants clearer text for proxy SEND
JMC wants to add anycast explicitly
Marcelo is not sure a single solution is possible
Alex talks about using SEND to protect DHAAD
FD wants to know more about the CGA+DHCP item
Marcelo thinks we need to analyse the problem space first and come up
with possible work items.
Jari agrees with Marcelo and thinks further work requires a recharter.
Ralph explains that dhc extensions are done in outside wgs but he
prefers
early collaboration and review to avoid late surprises
Fred wants to know if client can propose CGA IID to DHCP
Ralph thinks there is no technical restriction to put prefix info
into DHCP
Gabe, Jari, and JMC want to include a specific point in the charter
for certificate provisioning
Khadra Ahmed wants to document the certificate management and define a
certificate profile
Marcelo thinks the first part (cert mgmt) will be covered by certificate
provisioning item
KA to write up some text and send it out
Jari thinks that 3971 updates are needed based on the implementation
proposals
SK wants to know about other signature algorithms for SEND
JMC wants to know about IKEv2 and CGA interaction
Jari thinks this group should focus on ND and DHCP and IPv6 control
signaling. More general applications need another BoF possibly in
another
area, but feel free to submit proposals in other areas
FD wants to secure MLD
Gabe has a proposal using CGAs for this but it is out of scope for
this charter
Judging consensus
=================
Show of hands for support vs not support
50-0
Will actively participate and review
25
Have interest + time
10-15 people
Happy with high level charter with agreed additions
20-0
Jari needs to discuss details further
Elwyn Davies asks what to do if not eough people with time to cover all
targets. Need to prioritize
Jari thinks more implementations coming out soon. Need to do updates
first. DHCP and proxy are low priority.
Tony thinks the info dhcp document may be useful. Does not need to be
short term.
Jari thinks getting the protocol clarifications seems the most important
thing. Because otherwise the implementations will do something funny.
DHCP not so immediate.
There are some people who may see value in doing the DHCP now.
END OF MEETING
_______________________________________________
CGA-EXT mailing list
CGA-EXT@ietf.org
https://www1.ietf.org/mailman/listinfo/cga-ext
- [CGA-EXT] Meeting minutes marcelo bagnulo braun