[Hipsec-rg] draft meeting minutes from last week's meeting

[thomas.r.henderson@boeing.com (Henderson, Thomas R)]

Please review and make corrections to the list; I will upload in another
week or so.  Meeting materials are available at the IETF meeting
materials site, and will be converted for the proceedings site.

Thanks,
Tom

HIP-RG meeting minutes, Mar. 24, 2006, Dallas (IETF 65)

Overview
--------
The HIP RG met on Mar. 24, 2006, from 1130 to 1400 (after IETF 65
meeting).  Tom Henderson and Andrei Gurtov chaired the meeting.
33 people signed the pink sheets.

The meeting reviewed a number of updated Internet Drafts on the topics
of HIP privacy extensions, opportunistic HIP and TCP options, SIP and
HIP relationships, advanced NAT traversal, and the RG experiment report.
The meeting also reviewed the status of the three open source HIP
implementations, and observed a few software demonstrations.

The meeting generated a few action items.
i) add "related IETF work" section to the experiment report (Tom H.,
with Pekka N. input)
ii) Tom to discuss with Hannes Tschofenig and Gonzalo Camarillo about
creating a SIP framework draft.
iii) Hannes to consider whether to rework the PATH draft along
the lines of NAT detection techniques, as other aspects of the draft
have moved to WG scope.

Agenda
------

1.  Administrative and agenda discussion
- draft-irtf-hiprg-nat-01.txt status and IRTF review process

2.  Drafts

Experiment report status
- draft-irtf-hip-experiment-02.txt (update)

Opportunistic mode with TCP option
- draft-lindqvist-hip-opportunistic-01.txt (update)

Host Identity Protocol Location Privacy Extensions
- draft-matos-hip-privacy-extensions-01.txt (update)

SIP and HIP
- draft-tschofenig-hiprg-hip-srtp-02.txt (update)
- draft-tschofenig-hiprg-host-identities-03.txt (update)

Advanced NAT/middlebox traversal; problem statement
- draft-tschofenig-hiprg-hip-natfw-traversal-04.txt (update)

Legacy NAT/middlebox traversal
- draft-nikander-hip-path-01.txt (update)

3.  Software

Status update of experimental implementations, and demos
- HIP for inter.net (SPINAT demo)
- InfraHIP (HIP-enabled firewall management interface)
- OpenHIP (multi-platform)


Detailed minutes (compiled by Tom Henderson and Miika Komu)
-----------------
There were no comments on the agenda.

1. Tom reviewed the HIP experiment report, which was revised prior
to the meeting by Andrei and Tom.  Pekka Nikander commented that
it would help to have an additional section on the related work
ongoing in the IETF, such as shim6.  Tom agreed to this.

2.  Janne Lindqvist presented a draft on opportunistic HIP;
specifically,
the inclusion of HIP I1 packet as a TCP option.  This would allow
a non-HIP-aware host to fall back immediately to TCP.  The main
update of this draft was to remove the TCP piggybacking approach
(discussed at last RG meeting).
(Pekka Nikander) thinking of a gross hack; combine this with using
TCP to drill through NATs.  Can use a certain TCP port for HIP traffic.
(Andrew McGregor): similar to Skype (mentioned some specific port
number tracking technique that Skype uses)
(Lars Eggert):  Does not work for UDP connections.  Problems with
the NAT case; the R1 may not make it back.  Security issue: with HIP
you don't see the port numbers, but now you reveal it.
(Hannes Tschofenig): The last concern is not severe but should be
documented.
(Tom Henderson):  This depends on your privacy policies; for some
use cases, it may matter, but for others (such as when application
or user only cares about trying HIP but allows fall back to vanilla
TCP) it may not matter.
(Lars): It should be clear (for the user) that this is running with
lowered security.

3.  Alfredo Matos presented the update to the HIP privacy extensions
draft.
(Lars):  Can use an ethernet flooding algorithm for HIT-based routing
in the access network?  Curious as to what are your problems with HIPL
code?
(Alfredo): implementation troubles, moving to userspace broken the code.
Using HITs in normal interfaces.
(Miika Komu): should work also in the userspace code. We will follow-up
offline.
(Lars): Note, this is different from how RVS currently works.  It does
not relay the complete base exchange.  The first version of the RVS
draft offered complete relaying.
(Hannes): yes, this was supported in the draft to pass symmetric NATs
(Pekka): be aware that there may be some reflection attacks possible
with
your approach (RVS is a reflection attack point). You may have to
balance
the privacy issues with the security issues.
(Tom): Why do you need HIT-based routing?  Could you write your draft
to be agnostic of this choice (access network routing)?  It seems that
this draft might be a specific instance of the advanced NAT/middlebox
traversal, and might be further developed as such in the future
(perhaps combined with SPINAT).
(Tom):  Have you considered relation of your work to Hi3?
(Alfredo): we had a look on the Hi3 but not from the viewpoint of
privacy
(Andrew): IS-IS could be used for your HIT-based routing. It is scalable
and doesn't run on top of IP.
(Tom):  Another issue this draft raises is looking at the
issues when completely relaying the base exchange through RVS.
(Lars): we need to revise the RVS stuff either in WG or RG

4.  Hannes Tschofenig presented updates of two of the SIP drafts.
(Hannes):  The material on the benefits of SIP+HIP have been removed
from the draft that focuses on specification.
(Tom):  That could be moved to the experiment report.  We have
discussed (also with Gonzalo Camarillo) about preparing a SIP framework
document, and then developing the SIP host identities draft and SRTP
drafts as separate specification drafts.
(Andrei Gurtov):  What implementation are you using? Is it public?
(Hannes): using Boeing (openhip). Have to think about publication
due to corporate policies.
(Pekka): when will -02 version of SRTP be available?
(Hannes): shortly after the IETF
(Tom): As summary, we have two specification-oriented drafts (using SIP
to carry host identities, and SRTP).  The other (future) draft is the
planned SIP framework document. Hannes can be used as a contact
point for interested parties.

5.  Hannes next presented a revision of the Advanced NAT/Firewall
traversal problem statement draft.  He commented that most of the
updates
were from very detailed review by Pekka Nikander.
(Tom):  Again, it may be nice to pair this draft (problem statement)
with a future version of Alfredo's draft that is a specific instance
of advanced NAT (SPINAT) techniques.

6.  Hannes presented the PATH NAT traversal draft, and noted the
duplication of work by other authors (draft presented at HIP WG).
(Pekka):  As I said before, the previous version of this draft had a lot
of problems.  Move the draft more to the direction of the WG draft.
The new (schmitt) draft is more practical but limited in the sense of
NAT
detection.
(Lars): tried to implement based on PATH, but was not successful, so
decided
to start fresh document.
(Pekka): this is a RG so we don't need to have rough consensus. So it is
OK to do different work than in WG.
(Tom):  The PATH draft is more advanced in two areas than the schmitt
draft:
i) considers NAT detection techniques, and more advanced scenarios
(server
behind NAT).  Did WG agree to pick up these issues?
(Pekka): WG agreed to look at more advanced scenarios for NAT traversal
than are in the current schmitt draft.
(Tom):  Is there anything that is HIP-specific about NAT detection?  Do
we want to have a HIP document for that, or just reuse other WG products
here?
(Pekka): Not sure for now, but maybe existing ones are very SIP
oriented.
We can make a recommendation at the WG on what to use in practice.
Here we can consider other options.
(Andrew): use STUN, it works.
(Miika): Would like to see RG work on NAT detection.
(Tom): Hannes, are you interrested in carrying such a draft forward (on
NAT detection)?
(Hannes): Will think about it.

7.  Software status review.
(Lars): Will release a patch to openhip soon for the "client behind a
NAT" case, and are interworking with HIPL implementation for NAT
traversal.
(Pekka):  Are you logging the hits to your HIP test server?
(Tom):  No, but agree that would be useful data.

8.  Three demonstrations were next performed and explained:
i) SPI-NAT.  Patrik Salmela and Petri Jokela (HIP4Internet project)
demonstrated traversal of a video client from a public Internet (v6)=20
location to behind a NAT that replaced private addresses with public
v6 address.  The client moved to a (NATted) IPv4 address, and then the
NAT performed IPv4 to IPv6 translation.
ii) Janne Lindqvist and Miika Komu (HIPL project) demonstrated a=20
web-based GUI for configuring an advanced firewall that used HITs in
the ACL lists.
iii) OpenHIP.  Tom demonstrated HIP for Windows installation process
and user GUI, and interoperation between Windows XP and Mac OS X.