[12:02:26] --- j.schoenwaelder@jabber.eecs.iu-bremen.de has joined
[12:03:10] --- j.schoenwaelder@jabber.eecs.iu-bremen.de has left
[16:55:11] --- j.schoenwaelder@jabber.eecs.iu-bremen.de has joined
[18:06:32] --- Dave Nelson has joined
[18:06:40] --- bert has joined
[18:14:13] <Dave Nelson> starting the meeting
[18:14:26] <Dave Nelson> review of milestones
[18:14:54] <Dave Nelson> all milestomes are late
[18:15:18] <Dave Nelson> expect to discuss a change to the milestones
[18:16:05] --- hartmans has joined
[18:16:26] <Dave Nelson> four drafts -- transport subsystem, transport security model, secure shell transport model, RADIUS usage
[18:16:35] <Dave Nelson> agenda bashing
[18:16:37] --- sleinen has joined
[18:16:38] --- hartmans2 has joined
[18:17:48] --- jhutz has joined
[18:17:59] --- dlpartain has joined
[18:18:02] <Dave Nelson> presentation by Dave Harrington
[18:18:45] --- mikemlb has joined
[18:19:55] <Dave Nelson> slides are available at https://datatracker.ietf.org/public/meeting_materials.cgi?meeting_num=67
[18:20:18] <hartmans> I'm sorry I cannot be there. I ended up needing to be in avt
[18:21:06] <Dave Nelson> review of architectural decisions as of IETF-66
[18:21:46] <Dave Nelson> review of open issues
[18:22:09] <Dave Nelson> transport subsystem issue #1
[18:23:08] <Dave Nelson> Should we add transportModel parameter to all ASIs?
[18:24:26] <Dave Nelson> Defining snmp<transportmodel>Domain inplies transportModel, e.g. snmpSSHDomain/snmpSSHAddress vs. snmpSSHxDomain/snmpSHxAddress
[18:25:25] <Dave Nelson> this solves the prolem, does anyone have an issue with the recommendation?
[18:25:52] <Dave Nelson> Q; Wnat's in the transportModel?
[18:26:41] <Dave Nelson> Basically a host name.
[18:27:12] <Dave Nelson> C; seems OK, because we are not changing all the ASIs.
[18:27:38] <Dave Nelson> issue # 2
[18:28:11] <Dave Nelson> transport subsystem doesn't do anything -- provides a conceptual framework
[18:28:31] <Dave Nelson> transport subsystem MIB isn't needed
[18:29:00] <Dave Nelson> any objections to eliminating this MIB module?
[18:29:16] <Dave Nelson> Almost ready for WGLC on the draft.
[18:29:41] <Dave Nelson> secure shell transport issue # 1
[18:29:47] --- weshardaker has joined
[18:30:30] <Dave Nelson> not independent of the security model, needindependence to use SSH transport model security with different security models
[18:30:56] <Dave Nelson> securityName=Community, not SSH user
[18:31:07] <Dave Nelson> may be able to be resolved during editing
[18:31:37] <jhutz> I should have sat closer to the mike, I guess
[18:32:27] <Dave Nelson> you might have 2 security models, so we have a transport security model, no way to routing to any session security model.
[18:32:41] <Dave Nelson> BW: Community name?
[18:33:25] --- jr111 has joined
[18:33:35] <Dave Nelson> Some confusion on dave's part...
[18:33:49] <j.schoenwaelder@jabber.eecs.iu-bremen.de> I think the security model is determined by the SNMPv3 message; we just have to check that the transport security model properly checks that a valid tmStateReference is available from a secure transport.
[18:34:09] <Dave Nelson> WH: The implementers will do what need to be done. Separation is hard to get. They are bound.
[18:38:14] <hartmans2> Is the proposal to separate the tmsm from ssh tm so you can use another security model with ssh?
[18:39:24] <j.schoenwaelder@jabber.eecs.iu-bremen.de> Sam, the transport security model which is left essentially looks at the tmStateReference to pick up the required data from a secure transport and then
[18:40:03] <j.schoenwaelder@jabber.eecs.iu-bremen.de> passes things on. Since the security model is determined by the SNMPv3 message, we can in principle run other security models on top of ssh.
[18:41:18] <Dave Nelson> WH; adding a lot of work for little gain.
[18:41:27] <hartmans> That seems like a lot of complexity in an implementation.
[18:41:29] <Dave Nelson> JH: looking to highligh the abstraction.
[18:42:13] <Dave Nelson> JH ther is some language about this issue that's not quite baked.
[18:42:39] <Dave Nelson> JH: not asking a question; just reporting the status
[18:43:00] <Dave Nelson> ssh transport model issue #2
[18:43:52] <Dave Nelson> not a complete solution; ssh tm relies on usm for pre-session notifications, discovery, etc.
[18:44:24] <Dave Nelson> ssh may nnot be appropriate for short lived associations
[18:45:10] <Dave Nelson> need to determine a way to get contextEngineID
[18:45:33] --- mrw has joined
[18:45:53] <Dave Nelson> JH SSH doe snot need a securityEngineID, just a contextEngineID
[18:46:09] <jhutz> OK; just making sure I understand
[18:46:49] <Dave Nelson> ssh transport model issue #3
[18:47:18] <Dave Nelson> C: want to get around needing usm on very agent. gook when you don't do notifications
[18:47:25] <Dave Nelson> call home is not on our charter
[18:47:53] <sleinen> [This was Chris Elliott channeling Eliot Lear]
[18:48:09] <Dave Nelson> seems that trap definition needs some configuration as to wher they should be sent
[18:48:45] <Dave Nelson> asymmetric notification authentication
[18:49:03] <Dave Nelson> still an open issue
[18:50:11] <Dave Nelson> Transport security model isseu #1
[18:50:25] <Dave Nelson> managing sessions in the transport
[18:50:32] <Dave Nelson> issue #2
[18:50:40] <jhutz> really, handling notifications is _the_ big open issue. I think it's the one thing where we do not have a satisfactory answer.
[18:50:51] <jhutz> However, I don't yet think it is insurmountable.
[18:51:47] <Dave Nelson> the security model should enforce the requested security level, just a matter of working out the details
[18:51:59] <Dave Nelson> after resolving these issues should be ready for WGLC
[18:52:31] <jhutz> In fact, I really want to sit down again with Eliot and David and the Jurgens and talk this through. I suspect that we can't come up with a single approach that handles everything, but it's entirely possible we can get multiple approaches that between them cover all of the cases.
[18:52:32] <Dave Nelson> ISMS Milestone discussion
[18:52:38] <hartmans> As discussed at the interim, expecting to be able to get cipher or integrity algorithms out of ssh is going to make implementations much harder.
[18:53:13] <Dave Nelson> looking for any comments on the proposed new dates
[18:54:10] <Dave Nelson> two docs need one rev, one doc needs two revs
[18:58:06] <Dave Nelson> ISMS applicability statement -- itegrate into one of the other docs?
[18:58:53] <jhutz> Sam, I don't think anyone expects to do that.
[18:59:16] <Dave Nelson> will remove the ISMS applicibality statement as a spearate doc on the charter
[18:59:44] <jhutz> The important thing is that the transport SM checks that the level of security requested is actually something the transport claims to provide. So, for example, you don't end up with someone trying to use TSM with UDP-over-IPv4 transport and thinking they have security.
[19:00:15] <Dave Nelson> presentation by Vladislav Marinov on performance analysis of SNMP over SSH
[19:01:10] <Dave Nelson> tradeoffs between session based and message based security
[19:01:16] <Dave Nelson> also provide some running code
[19:03:06] <Dave Nelson> optimizations: disable Nagle algorithm
[19:03:21] <Dave Nelson> SSH window adjustments
[19:04:42] <Dave Nelson> snmp get session establishment overhead measured
[19:06:15] <Dave Nelson> addition of 32 packets
[19:07:04] <Dave Nelson> Q; round trips or fragmented packets?
[19:07:15] <Dave Nelson> don't know
[19:07:53] <Dave Nelson> big overhead for a short session
[19:08:26] <Dave Nelson> measured overhead of snmpwalk and snmpbulkwalk
[19:08:28] <jhutz> did he understand my question? I don't think ssh keyex should take 5 round trips
[19:08:33] <jhutz> userauth, maybe.
[19:09:34] <Dave Nelson> <graphical data>
[19:11:44] <Dave Nelson> advantage of session based security seen for snmpwalks
[19:11:54] <jhutz> These results are not terribly surprising.
[19:12:48] <jhutz> I do think he's doing a reasonable job of presenting them.
[19:13:17] <Dave Nelson> WH: there are some caveats...
[19:13:40] --- mrw has left
[19:13:53] <Dave Nelson> WH: v3 support for net-snmp was added as a research effort, goal not performance, but rather an implementation that tested the spec
[19:14:23] <Dave Nelson> there has bee no potimization since then
[19:14:55] <Dave Nelson> there has been no optimizations since then
[19:15:56] <Dave Nelson> <EOM>
[19:15:59] --- Dave Nelson has left
[19:16:05] --- jr111 has left
[19:18:59] --- hartmans has left
[19:22:44] --- dlpartain has left
[19:23:16] --- j.schoenwaelder@jabber.eecs.iu-bremen.de has left
[19:23:59] --- jhutz has left: Disconnected
[19:25:54] --- weshardaker has left: Disconnected.
[19:28:00] --- bert has left
[19:40:33] --- sleinen has left
[19:48:23] --- mikemlb has left: Logged out
[20:03:42] --- weshardaker has joined
[20:03:42] --- weshardaker has left: Lost connection
[20:03:42] --- weshardaker has joined
[20:03:43] --- weshardaker has left: Disconnected.
[22:06:30] --- bert has joined
[22:07:06] --- bert has left