IPSRA minutes

Note that the two main presentations are available on the WG web site at <http://www.vpnc.org/ietf-ipsra/>.

Agenda bashing
       Nothing additional topics were proposed

Charter reminder
       Repeated the three goals from the charter
       Meta-requirement: must not change IKE until IPsec WG is done with it (more than a year away, probably)
       We have current authentication proposals
               Legacy authentication -> short term certs
                       get-cert
                       PIC
       We have a current configuration proposal
               DHCP (now a submission to the IPsec WG)

IPSRA Requirements document
       Scott Kelly gave a detailed discussion of the draft.
       There were many changes between draft -00 and -01
               Deleted roaming/wireless users, and user-to-user connections from scenarios
       Mobility requirements were deleted
               Load balancing (multiple points of entry) vs. remote users changing their IP address
       Accounting requirements need to be flushed out
               Connection start & stop
               Incoming and outgoing octet counting
               Where does accounting happen
               Jeff Schiller said that accounting can be done better in another group.
               Jesse Walker pointed out that some accounting info disappears when it becomes encrypted.
       What is machine authentication? How is it different from user authentication?
               Marcus Leech said machine certs are out of scope. It doesn't matter who has the private key.
       Some scenarios deleted:
               Roaming users (it is the same as telecommuter)
               User-to-user (it is the same as regular IPsec)
       Added discussion of threats and mitigation to telecommuter scenario discussion
       Added statement about encouraging migration to stronger authentication systems to legacy compatibility section
       Open Issues:
               IRAC Policy config: not really in scope, but should be able to do it.
               Mobility requirement
                       Do we want to support single-sign-on?
                       Client having a dynamic IP address: can renegotiate SA
                       Multiple access points into the network; once
per session
       Protection of password on the laptop out of scope, says Marcus.
       Scott will do version -02 of the requirements document soon.
       Question from the floor: do we allow two-factor? General answer was yes, within the auth proposals, not outside.

Discussion of authentication proposals
       PIC:
               Yaron Sheffer said there had been internal talk between the authors on PIC. They will get us a new draft within a month.
       Getcert:
               Steve Bellovin said he had nothing new to say. We will hold a straw poll among the four parts of getcert on the mailing list soon, and Steve will flesh out the proposal for the one that wins. This will be done soon so the WG can decide.

DHCP Configuration of IPSEC Tunnel Mode
       Bernard Aboba gave a quick overview of the draft.
       The draft is fairly stable unless folks find problems. There haven't been any big changes since the last meeting.
       Meets the requirements for typical configuration using current DHCP.
       Can use DHCP authentication; this is not access control -- just to prevent attacks.
       There was a discussion of whether there should a different htype or option used just for VPN. This might help failover systems to re-allocate IP addresses from the pool.
       Users want consistency between gateway reboots, if possible

Other
       There was a question about whether the WG was trying to be NAT-friendly. The answer was: not in our charter.
       There was a brief discussion of the way forward, which will be to evaluate the two authentication proposals in the next few months. The configuration proposal can be finished separately, sooner.

--Paul Hoffman, Director
--VPN Consortium

You are viewing proxied material from ftp.icm.edu.pl. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.