IETF
ipsecme@jabber.ietf.org
Monday, 5 November 2012< ^ >
yoshfuji has set the subject to: ipsec wrapped...
Room Configuration

GMT+0
[00:03:09] Michael Richardson leaves the room
[00:05:10] Michael Richardson joins the room
[00:09:58] Michael Richardson leaves the room
[03:04:04] Michael Richardson joins the room
[03:13:10] Michael Richardson leaves the room
[03:14:30] Michael Richardson joins the room
[03:17:25] Michael Richardson leaves the room
[03:18:08] Michael Richardson joins the room
[08:28:39] mc joins the room
[10:43:05] <mc> no audio?
[10:44:24] <mc> ah. wrong time.
[12:19:30] Michael Richardson leaves the room
[12:31:01] Michael Richardson joins the room
[12:31:55] Michael Richardson leaves the room
[12:32:02] Michael Richardson joins the room
[13:49:54] Michael Richardson leaves the room
[13:50:04] Michael Richardson joins the room
[14:01:08] Michael Richardson leaves the room
[14:03:52] Michael Richardson joins the room
[16:22:34] mc leaves the room
[16:22:48] Michael Richardson leaves the room
[16:26:36] Michael Richardson joins the room
[17:19:10] Michael Richardson leaves the room
[17:50:27] Michael Richardson joins the room
[19:22:44] Michael Richardson leaves the room
[19:23:11] Michael Richardson joins the room
[19:41:43] Michael Richardson leaves the room
[19:42:12] Michael Richardson joins the room
[19:46:11] Michael Richardson leaves the room
[19:46:55] Michael Richardson joins the room
[19:47:20] Michael Richardson leaves the room
[19:48:03] Michael Richardson joins the room
[19:57:20] Michael Richardson leaves the room
[19:57:49] Michael Richardson joins the room
[20:07:17] yaron.sheffer joins the room
[20:07:50] yaron.sheffer leaves the room
[22:02:20] yaron.sheffer joins the room
[22:02:26] yaron.sheffer leaves the room
[22:03:04] yaron.sheffer joins the room
[22:06:45] paulwouters joins the room
[22:19:41] <yaron.sheffer> mic: yes I do
[22:20:49] <paulwouters> should there be sound already?
[22:21:01] <yaron.sheffer> yes
[22:21:11] <yaron.sheffer> http://ietf85streaming.dnsalias.net/ietf/ietf854.m3u
[22:21:20] <paulwouters> hmm not hearing anything....
[22:21:37] <yaron.sheffer> it's quiet now
[22:24:19] <paulwouters> ahh i hear something now
[22:24:21] <paulwouters> very very quiet
[22:24:24] <paulwouters> ah yes
[22:24:25] <paulwouters> better :)
[22:26:35] yoav.nir joins the room
[22:27:00] <yaron.sheffer> my audio just went away. Is it just me?
[22:27:10] <yoav.nir> No, Paul is just quiet
[22:28:32] <yaron.sheffer> Nope, I mean I'm not getting any stream. Is your audio still good, Paul?
[22:29:05] <paulwouters> i hear nothing now
[22:29:42] <yoav.nir> Paul is mumbling about connecting his laptop to the projector
[22:30:19] <paulwouters> hmm stream is aborting after 1second
[22:30:23] <yaron.sheffer> I'm not getting any audio packets no more. Sad.
[22:30:40] kivinen joins the room
[22:30:50] <yoav.nir> Did you hear that one?
[22:30:57] <yoav.nir> (from Paul)
[22:31:21] <paulwouters> no my stream is immediately stopping with an error
[22:31:27] <yaron.sheffer> Same here
[22:31:56] <paulwouters> both when using http://nagasaki.bogus.com:8000/stream04 or when using http://ietf85streaming.dnsalias.net/ietf/ietf854.m3u
[22:34:59] <paulwouters> still broken
[22:36:16] <yaron.sheffer> The stream is back now - though still background noise only
[22:36:42] <yoav.nir> We've alerted the NOC
[22:37:02] <kivinen> did you hear pauls 3 minute warning?
[22:37:04] <paulwouters> yeah. seems i am in on the stream. but dont hear anythin
[22:37:12] <yaron.sheffer> yes
[22:37:20] Hugh_Daniel joins the room
[22:37:33] <yaron.sheffer> there's a few sec delay, I heard him *after* your question
[22:38:20] Sean Turner joins the room
[22:38:30] cw joins the room
[22:39:45] <Hugh_Daniel> The output gain on the stream is VERY low. I have to turn it up to 100% to hear anything.
[22:39:49] <paulwouters> more volume?
[22:39:53] Andrew Chi joins the room
[22:40:01] <Sean Turner> is that better?
[22:40:12] <Hugh_Daniel> Helps.
[22:40:12] <paulwouters> yes!
[22:40:15] <paulwouters> that works!
[22:40:45] <yoav.nir> As always, if you want us to channel, prefix with "mic:"
[22:41:03] <yaron.sheffer> thx
[22:41:21] <yoav.nir> BTW: in case you want me to channel something, who's "letoams"?
[22:42:19] <paulwouters> letoams = paul wouters
[22:43:09] <yoav.nir> OK
[22:46:43] Michael Richardson leaves the room
[22:46:53] Michael Richardson joins the room
[22:48:25] <Michael Richardson> hi.
[22:48:41] <yoav.nir> Hi, MCR
[22:52:13] <yoav.nir> Can you hear Tero?
[22:52:15] <Hugh_Daniel> yes
[22:52:16] <yaron.sheffer> yes
[22:52:17] <paulwouters> soso
[22:52:17] <Michael Richardson> hi.
can you hear Tero?
[22:52:27] <paulwouters> yes is good now
[22:53:54] <paulwouters> btw : http://www.ietf.org/proceedings/85/slides/slides-85-ipsecme-0.pdf
[22:55:32] <Michael Richardson> paul, ||ugh, as far as I know, the format 11 raw rsa key isn't used/implemented in openswan.
[22:55:48] <paulwouters> correct
[22:55:52] <yoav.nir> What, it's implemented somewhere else?
[22:56:54] <yoav.nir> * crickets * - no one raises their hand
[22:57:01] <Michael Richardson> (would be nice to have it implemented, but sometimes the Tortoise wins...)
[22:58:29] <yaron.sheffer> mic: unhappy with this being individual if it obsoletes the old format
[23:01:22] <paulwouters> http://www.ietf.org/proceedings/85/slides/slides-85-ipsecme-5.pdf now ?
[23:01:47] <Sean Turner> yes
[23:03:24] paulwouters leaves the room
[23:10:59] PaulWouters joins the room
[23:12:27] <PaulWouters> mic: people already don't follow MUST/SHOULD, let alone following plus and minus modifiers
[23:19:14] <yaron.sheffer> mic: I would like to have the sense of the room re: Yoav's proposal of adding another algorithm: future insurance vs. more code added today.
[23:19:35] <PaulWouters> but you SHOULDN'T- do it? :)
[23:21:34] <kivinen> If I need to pick one out of the SHOULDs to implement, I will propose the one having + at the end.. :-)
[23:23:05] <PaulWouters> humm for backup algo
[23:23:07] <Hugh_Daniel> ew need more backups
[23:23:22] <PaulWouters> we have moer
[23:23:29] <PaulWouters> camelia :)
[23:23:46] <Sean Turner> seed, aria ...
[23:24:15] <yaron.sheffer> there are also some more rational choices, e.g. Twofish
[23:24:34] <yoav.nir> camelia has the advantage of being used extensively in TLS (supported in OpenSSL and Firefox, and enabled by default in both)
[23:24:36] <PaulWouters> right
[23:25:23] <yaron.sheffer> To me that just says that some Apache coder went out on a limb
[23:25:41] <yoav.nir> and one NSS coder
[23:25:44] <PaulWouters> http://www.ietf.org/proceedings/85/slides/slides-85-ipsecme-6.pdf ?
[23:26:10] sftcd joins the room
[23:26:31] <yoav.nir> and since both are open source that accept contributions, it could be the same coder
[23:26:55] <PaulWouters> camelia is in the linux kernel too :)
[23:27:48] <yaron.sheffer> quite likely. The funny thing is, they ended up with Camellia at the top of the negotiation list (Firefox with Apache, I think). That's weird!
[23:29:19] <yoav.nir> Yes, I was quite surprised when I connected to my company's support site and it used Camelia. But that just proves my point that we have a lot of operational experience.
[23:30:18] <yaron.sheffer> But that doesn't mean that it's had a lot of security analysis, compared to AWS candidates for example.
[23:35:51] <yoav.nir> There's also the issue of performance. You can't have a backup algorithm that's 10x slower than the main algorithm. The customers would keep using the broken algorithm because it's still better than cleartext.
[23:37:23] <PaulWouters> http://www.ietf.org/proceedings/85/slides/slides-85-ipsecme-7.pdf
[23:37:28] <kivinen> can you hear dan?
[23:37:34] <PaulWouters> yes
[23:38:08] <yaron.sheffer> But all the AES candidates were also measured on performance. So they can't be terribly bad.
[23:38:49] <yoav.nir> True, but Intel hasn't added opcodes for them.
[23:39:07] <yaron.sheffer> Right.
[23:48:15] <PaulWouters> http://www.ietf.org/proceedings/85/slides/slides-85-ipsecme-1.pdf
[23:49:09] Sean Turner leaves the room
[23:51:22] Sean Turner joins the room
[23:54:16] Sean Turner leaves the room
[23:54:31] <PaulWouters> mic: for Dan: how to deal with deleting IPsec SA's and how do you setup multiple tunnels per end point if you kill off IKE SA when one IPsec SA is up?
[23:57:28] <PaulWouters> the other end might?
[23:58:10] <PaulWouters> so 10 IKE SAs for 10 IPsec SA's ? hmmmm
[23:58:34] <PaulWouters> also, no traffic tunnels with no IKE SA for NAT-T is a real issue
Powered by ejabberd Powered by Erlang Valid XHTML 1.0 Transitional Valid CSS!