IETF
ipsecme@jabber.ietf.org
Friday, November 14, 2014< ^ >
Yoav Nir has set the subject to: IPsecME Meeting at IETF 90 in Toronto
Room Configuration
Room Occupants

GMT+0
[01:05:24] yaron.sheffer joins the room
[01:06:31] yaron.sheffer has set the subject to: IPsecME Meeting at IETF 91 in Honolulu
[01:08:10] Meetecho joins the room
[01:08:30] Yoav Nir joins the room
[01:09:50] <Yoav Nir> @Yaron: Paul thanks you for your dedication and asks whether you're drinking Hawaiian coffee to stay awake
[01:10:33] <Yoav Nir> http://www.ietf.org/mail-archive/web/91attendees/current/msg00263.html
[01:15:38] <yaron.sheffer> Yes, absolutely, That's the kind of coffee they serve here in Tel Aviv.
[01:16:40] paulwouters joins the room
[01:16:42] <yaron.sheffer> Could you guys use QKD to beam some of it over here, for comparison?
[01:16:52] <Yoav Nir> As it turns out, this is pretty average coffee. The machine we have at the break room in our Tel Aviv office is much better
[01:17:19] <paulwouters> the only good coffee is honolulu coffee, 10 minutes walk along the beach
[01:17:57] <Yoav Nir> That message to the list created false expectations for me...
[01:19:03] <Yoav Nir> BTW: Did anyone express interest it DANE for IPsec? The DANE chairs are looking for volunteers to edit, and I'm wondering if it's because nobody cares.
[01:19:25] <paulwouters> Yoav Nir: I did :)
[01:20:03] <yaron.sheffer> Isn't there a major problem with legacy key sizes in DNSSEC, which limits the security of DANE?
[01:20:16] <paulwouters> not that I have noticed
[01:20:38] <yaron.sheffer> OK, good to hear that.
[01:20:44] <paulwouters> I switched fedora's opendnssec to 2048 ZSK along with 2048 KSK that was there already
[01:20:50] <Yoav Nir> The security of DNSSEC itself is orthogonal
[01:20:51] <paulwouters> and heard no complains
[01:21:06] <yaron.sheffer> Why orthogonal?
[01:21:14] <paulwouters> we need to kill 10248 keys. not because they are unsafe but because people keep saying they are unsafe
[01:21:19] <paulwouters> 1024
[01:21:41] <yaron.sheffer> It is 3:20 here, too.
[01:21:44] kivinen joins the room
[01:21:52] <Yoav Nir> It sounds like a good idea, because in IPsec we don't have a bunch of CAs that everyone trusts like in HTTPS, so introducing two gateways that don't belong to the same org is hard. DANE seems to be a good way of getting around it.
[01:23:35] <yaron.sheffer> I'm not sure. You'd still need to policy-limit what CAs you're trusting.
[01:23:59] <Yoav Nir> I don't. I just trust the DNS.
[01:24:36] <yaron.sheffer> That's better than trusting the global PKI. But not good enough IMO.
[01:25:44] <paulwouters> who is at the mic?
[01:25:53] <yaron.sheffer> Rod van Meter, QKD
[01:27:17] <yaron.sheffer> Do we have a Jabber scribe?
[01:27:35] Catherine Dibble joins the room
[01:28:15] <Yoav Nir> I'll do it for the first half.
[01:28:20] <Yoav Nir> "Changes since adoption"
[01:28:28] Kathleen Moriarty joins the room
[01:28:34] <yaron.sheffer> Can you please ask Tero to do the 2nd half.
[01:28:45] <Yoav Nir> @tero: can you do the second half?
[01:29:08] <Yoav Nir> Tero says OK
[01:29:14] <yaron.sheffer> Thanks!
[01:29:36] <Yoav Nir> "Open issues"
[01:29:40] Catherine Dibble leaves the room
[01:31:28] mohammed serrhini joins the room
[01:34:27] <Yoav Nir> Paul W at the mic
[01:35:05] <Yoav Nir> Tero @ mic
[01:35:53] <Yoav Nir> I wonder if we could use RPKI certificates to authenticate ownership of networks for phase II
[01:36:44] <yaron.sheffer> But that's only good if it's the same router doing BGP and IPsec.
[01:36:52] <Yoav Nir> (and if RPKI is deployed at all, let alone to customers)
[01:36:53] <yaron.sheffer> Unless RPKI supports delegation.
[01:37:28] <Yoav Nir> The hierarchy in RPKI is delegation, but the BGP router usually doesn't delegate further
[01:40:16] <Yoav Nir> Dan Harkins @ mic
[01:41:18] <Yoav Nir> If you want anything channeled, say so
[01:41:22] <Yoav Nir> Brian Weis @ mic
[01:42:10] <Yoav Nir> PAul W @ mic
[01:42:12] <yaron.sheffer> mic: I am mostly worried about people assuming that one-sided auth is as good as TLS, which may not be true when investigated formally.
[01:43:54] <yaron.sheffer> mic: for the record, I disagree with my esteemed co-chair. OK with code assignment, not yet OK with LC.
[01:47:31] <kivinen> yoav starting his presentation. I will continue scribing
[01:48:01] <kivinen> "Defending IKE Responders Against Denial of Service attacks" presentation
[01:48:04] <kivinen> slide 3 now
[01:48:33] <kivinen> mcr @ mic
[01:48:37] mohammed serrhini leaves the room
[01:49:00] Edward Lopez joins the room
[01:49:47] <kivinen> slide 4
[01:50:23] <kivinen> slide 5
[01:51:24] <kivinen> slide 6
[01:52:01] <kivinen> slide 7
[01:52:48] <kivinen> slide 8
[01:54:02] <kivinen> slide 9
[01:55:24] <kivinen> slide 10
[01:56:00] <kivinen> slide 11
[01:56:29] <kivinen> slide 12
[01:57:03] <kivinen> slide 13
[01:57:50] <kivinen> mcr @ mic
[01:58:35] <kivinen> slide 14
[02:00:00] <kivinen> slide 15
[02:01:58] <kivinen> slide 16
[02:03:28] <kivinen> slide 17
[02:04:33] mohammed serrhini joins the room
[02:04:57] <kivinen> kivinen @ mic
[02:05:19] <yaron.sheffer> mic: with a 5/sec rate limit, the puzzle is meaningless, because attackers are desktops and so the puzzle is worth 0.1 sec or less. I still support puzzles, because they mitigate a botnet that's attacking *multiple* uncoordinated gateways.
[02:05:27] <kivinen> valery @ mic
[02:07:25] <paulwouters> kivinen: channel me asking if draft says something about making it easier for reconnecting puzzle solvers to help them not empty their battery
[02:09:35] <kivinen> bweis @ mic
[02:10:59] satoru.kanno@jabber.org joins the room
[02:12:13] <kivinen> rene hummen @ mic
[02:15:51] <paulwouters> rod who?
[02:15:51] <kivinen> R. Van Meter @ mic
[02:15:56] <paulwouters> thanks
[02:19:32] mohammed serrhini leaves the room
[02:24:15] Edward Lopez leaves the room
[02:24:19] Yoav Nir leaves the room
[02:24:20] Kathleen Moriarty leaves the room
[02:24:20] kivinen leaves the room
[02:24:31] yaron.sheffer leaves the room
[02:25:34] paulwouters leaves the room
[02:27:10] satoru.kanno@jabber.org leaves the room
[02:35:08] Meetecho leaves the room
[02:38:17] Kathleen Moriarty joins the room
[02:48:25] satoru.kanno@jabber.org joins the room
[03:09:47] paulwouters joins the room
[03:33:52] paulwouters leaves the room
[04:15:23] paulwouters joins the room
[04:21:03] paulwouters leaves the room
[04:25:58] Kathleen Moriarty leaves the room
[04:35:41] satoru.kanno@jabber.org leaves the room
[04:41:00] satoru.kanno@jabber.org joins the room
[06:12:12] satoru.kanno@jabber.org leaves the room
[11:37:15] satoru.kanno@jabber.org joins the room
[12:25:17] satoru.kanno@jabber.org leaves the room
[18:06:34] satoru.kanno@jabber.org joins the room
[18:14:47] satoru.kanno@jabber.org leaves the room
[19:07:33] satoru.kanno@jabber.org joins the room
[19:16:36] satoru.kanno@jabber.org leaves the room