Minutes from 3/20/01

Minutes from 3/20/01 - 1st draft

Susan Hares <skh@nexthop.com> Wed, 20 March 2002 17:08 UTC

Message-Id: <5.0.0.25.0.20020320102034.032326f8@mail.nexthop.com>
Date: Wed, 20 Mar 2002 12:06:54 -0500
To: idr@merit.edu
From: Susan Hares <skh@nexthop.com>
Subject: Minutes from 3/20/01 - 1st draft
Cc: minutes@ietf.org
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="=====================_78453129==_"
Sender: owner-idr@merit.edu
Precedence: bulk

Hi all:

This is the first draft of the IDR working group minutes.
Please send correction and questions to me or the list.

Sue Hares


PS - I'll welcome volunteers to take minutes at the next IDR meeting.

=========
Minutes of the IDR meeting

1) Agenda bashing - nothing added
2) IDR document status attached [power point presentation]
3) BGP MIB v2
	
	- 2547 MIB work will be added
	- Discussion of the BGP-MIB v2 will go on the list

4) BGP Security

   a) BGP Security analysis [presentation will be sent later]

     BGP Security Protections (draft-murphy-bgp-protect-00.txt)
     BGP Security Vulnerabilities Analysis (draft-murphy-bgp-vuln-00.txt
	[see presentation

	2) see Sandy's presentation for details on individual comments
	
	Alex: Security analysis draft is outside of the working
	      charter. (Routing AD)
	Ran: Security analysis is certainly within the charter for
	      a working group.

	IDR working group mailing list will discuss the drafts and
	whether work on this draft is within the IDR charter.
	Alex (Routing AD) will also ask the IESG whether this
	subject is part of our scope.

    b) Securing BGPv4 using IPsec [draft-ward-bgp-ipsec-00.txt]

   	a) application/deployment doc and not protocol extension
	b) Could be discussed in is:
		a) Security policy working group
		b) IPS (security policy)
		c) IDR information RFC
	
	Question:
		1) section 2 - IKE is a "MUST" (an error)
		2) No encryption is not an issue to the security
	
	Alex Zinin (as Routing AD)states this is out of the charter for the
	working group.  We will need to revise the charter to include
	this draft.  The Routing ADs suggested that we await until
	we have the Routing Security BOF to discuss requirements on the list.

    c) TCP MD5 draft

	Key Requirements for the TCP MD5 Signature Option
	draft-ietf-idr-md5-keys-00.txt

       [No slides from Marcus, notes are rough]

	a) Most credible attack is "key determination" is brute force

	    Took the current architecture of processors and software to
	    see what reasonable.  The normal keys is a	
	    12-24 byte key length with "ascii" (most common used).
	
	    Recommendation: key: use HEX structure
			    change keys every 90 days

	b) IP Sec vs TCP MD5
		
	    Experience with public key infrastructures has
	    shown that a dynamic key infrastructure is difficult
	    to deploy.
	
	    If authentications is the only issue, use TCP MD5. If
            encryption and data security is important, IPSEC is the choice.

	Using IKE for dynamic Key management may be useful.
	Profile for TCP MD5 re-keying for BGP would look different than
	OSPF.

	c) TCP MD5 versus HMAC MD5 - if start today use HMAC MD5.

    4) BGP Integrity Check using IRR
	
       Concerns with the draft:
	a) Multi-origin AS are a normal situation and good,
	    so this portion of the draft should changed
	b) IRR can allow multiple origin per prefix
	c) Caching of the IRR Checks causes a problem
	   during start-up

Attachment: IDR-01.ppt
Attachment: v2mib-update-ietf53.ppt
Attachment: IETF54-idr-kengo.pdf

Minutes from 3/20/01 - 1st draft Susan Hares

Minutes from 3/20/01 - 1st draft

Attachment: IDR-01.ppt

Attachment: v2mib-update-ietf53.ppt

Attachment: IETF54-idr-kengo.pdf