[10:28:36] --- peterd has joined
[10:30:14] --- rpayn422 has joined
[10:37:50] --- mocmobile has joined
[10:45:26] --- mocmobile has left: Replaced by new connection
[10:50:55] --- hkruse has joined
[10:51:04] --- mlshore has joined
[10:52:23] --- brabson has joined
[10:52:39] --- mocmobile has joined
[10:53:48] --- masahiro has joined
[10:54:18] --- tskj has joined
[10:54:27] --- jishac has joined
[10:58:06] --- wivancic has joined
[10:58:18] <rpayn422> mip6 base specs have been approved as RFC 3775 and 3776
[10:58:50] <rpayn422> api and RO-SEC have completed wglc successfully
[10:59:04] <rpayn422> to be submitted to the ADs for review
[10:59:24] <rpayn422> MIB doctors are reviewing the MIB
[10:59:35] <rpayn422> wglc for the MIB, following the feedback from the MIB doctors
[11:00:13] <rpayn422> bootstrap design team has completed the work on the problem statement I-D, URL on mailing list
[11:00:37] <rpayn422> this I-D has been published as a WG doc (draft-ietf-mip6-bootstrap-ps-00)
[11:01:21] <rpayn422> new I-Ds (mip6-auth-protocol-00, mip6-nai-options-00)
[11:02:13] --- wivancic has left: Replaced by new connection
[11:02:57] <rpayn422> francis ?: no consensus on ?, less than 10 comments
[11:03:59] <rpayn422> draft-le-mip6-firewalls-01: revised, will be a WG I-D after IETF60
[11:04:26] <rpayn422> IKEv2 for setting up the MN-HA SA, required for MIP6
[11:04:52] <rpayn422> issue tracker: (slide changed too fast)
[11:05:40] --- brabson has left
[11:06:09] <rpayn422> update on draft for Route Optimization Security Design Background (ro-sec-01), -00 went to wglc in May, informational track
[11:06:56] <rpayn422> improvement to spurious BUs for CNs, more hints to know which CN merits being sent a BU (using ND dest cache)
[11:07:21] <rpayn422> Issues w/ IPsec related to text in the Into, clarified
[11:07:28] --- vm has joined
[11:07:34] <rpayn422> caveat about questionable assumptions
[11:08:29] <rpayn422> DNSSEC bashing - Francis thinks the current text is fud against DNSSEC, will take to DNSEXT and bring feedback to mip6
[11:08:54] <rpayn422> home addr check needs different txt, care-of addr check
[11:09:15] <rpayn422> next up: bootstrap problem statement
[11:10:30] <rpayn422> bootstrap problem statement, Alesh (sp?) Patel
[11:10:52] <rpayn422> scope of bootstrapping - obtaining enough information to register MN to the HA
[11:10:57] --- norifmi has joined
[11:11:09] <rpayn422> namely: home address, home agent address, and security association or material to set up
[11:11:12] --- jishac has left: Disconnected
[11:11:16] --- jishac has joined
[11:12:19] <rpayn422> goals: obtain information for HA, can happen at any time, user-specific information may be stored on external entities (AAA server), must happen securely, must consider deployment scenarios, identify the minimal set of information required to bootstrap in each scenario
[11:13:06] --- ohira has joined
[11:13:08] <rpayn422> non-goals: prefix-renumbering in the home network, case where there is no trust relation btwn MN and provider
[11:13:12] --- jishac has left: Replaced by new connection
[11:13:13] --- jishac has joined
[11:14:03] --- brabson has joined
[11:14:56] <rpayn422> advantages of bootstrapping: minimizes pre-configuration that is needed, obtain HA dynamically, anchor to home agent dynamically, possible integration with AAA infrastructure (reuse access authent., permits roaming)
[11:15:13] --- mlshore has left: Disconnected
[11:15:38] <rpayn422> scope of the problem statement: describes various terms clarifying various network scenarios, describes network deployment scenarios, considers the various authentication models, . . .
[11:16:19] <rpayn422> draft describes 4 scenarios: from POV of the service model, basic assumption - trust relationship between MN and mobility service provider
[11:17:24] <rpayn422> scenarios - mobility service subscription, integrated ASP network, third party MSP, infrastructure-less (no trust relationship)
[11:17:47] <rpayn422> MSS - pre-arranged trust relation with MSP
[11:18:08] <rpayn422> integrated ASP net: ASP and MSP are same
[11:18:27] <rpayn422> third party: trust relation for mobility and actual mobility provided by different providers
[11:18:45] --- lucioslayer has joined
[11:19:15] <rpayn422> seed information - minimal info needed to authenticate the MN and obtain the bootstrap info (FQDN of HA, MN's NAI, and shared secret with AAA)
[11:19:37] <rpayn422> draft considers 2 cases: 1/ auth is mandatory, 2/ auth is optional for network access
[11:19:49] <rpayn422> next steps
[11:20:02] <rpayn422> no open issues from design team (closed, currently)
[11:20:13] <rpayn422> editorial comments from the WG
[11:20:22] <rpayn422> Design team members listed
[11:20:33] <rpayn422> solution?
[11:21:30] <rpayn422> C. Huiteman: Q about existing solutions (EAP, AAA, etc.)
[11:22:01] <rpayn422> E Nordmark: confused by requirements for ties to an access network that may change
[11:23:00] <rpayn422> alpesh and chair: may tie access network to new networks
[11:23:12] <rpayn422> possible to piggyback
[11:23:52] <rpayn422> EN: this is highly undesirable
[11:24:38] <rpayn422> unknown: if MSP and ASP are same, there are some optimizations that can occur - integrated case is fairly common case
[11:25:11] <rpayn422> thomas narten: how often do we bootstrap?
[11:25:42] --- weddy has joined
[11:25:44] <rpayn422> answer: first time you power up, the first time out of the box, not something that is all that common; something that is not common enough to optimize?
[11:26:04] <rpayn422> last half of that was a comment by TN
[11:26:16] --- jishac has left: Replaced by new connection
[11:26:17] --- jishac has joined
[11:26:48] <rpayn422> unknown: pre-MIP6 registration problem, such as key management
[11:26:52] --- tskj has left
[11:27:25] <rpayn422> unknown3: one protocol for bootstrapping, or share info for both services
[11:27:48] --- tskj has joined
[11:27:50] --- avri has joined
[11:29:05] <rpayn422> (lost in conversation at the microphone)
[11:30:39] <rpayn422> agreement with EN, not to tie to information to one provider
[11:31:38] <rpayn422> CH: this only happens once, so it should be as flexible as possible - simpler
[11:32:19] <rpayn422> most current deployments use shared secrets
[11:33:54] --- lucioslayer has left
[11:33:55] <rpayn422> canadian hot spot uses a http connection to the broker's domain so customers can roam between hotspots; need to figure out a way to make it simple for deployment to avoid lots of non-standard solutions
[11:34:34] <rpayn422> (all microphone comments will be unattributed if names are not given, will be listed as mic:)
[11:34:51] <rpayn422> s/ smile/ mic:
[11:35:31] <rpayn422> chair: two draft presentations will be made, prior to dealing with the quesiton of consensus
[11:35:59] <rpayn422> mipv6 auth option - status update
[11:37:07] <rpayn422> motivation: minimize over-the-air signalling per MN, reasonable time-to-market, reduce latency (during setup and handoff), ease deployment (NAI and auth infrastructure used for MIPv4), SDO's such as 3GPP2 require this option
[11:37:40] <rpayn422> solution (connection negotiation see slides)
[11:38:59] <rpayn422> changes from last version: removed encryption extensions which were encrypting certain fields, current version supports authentication of BU/BA messages only, added subtype for MN-AAA option
[11:39:35] <rpayn422> identification option - to define protection
[11:40:02] <rpayn422> next steps - clarify security considerations, clarify usage of MN-AAA option, usage details of the identification options
[11:40:57] <rpayn422> CH: one of the problems with the auth option is that many require add'l exchanged messages
[11:41:57] <rpayn422> CH: how to resolve issue with constraints of protocol - only one exchange
[11:41:59] --- lucioslayer has joined
[11:43:59] <rpayn422> CH: EAP is extensible, use it and include it in the design
[11:44:39] <rpayn422> (missed several comments)
[11:45:54] <rpayn422> james: CDMA2000 - largest customer needs this, it is okay to please them, need initial review by security directorate (fast fail)
[11:46:22] <rpayn422> security update based upon IPsec, trying to build a binding update that doesn't depend upon IPsec
[11:47:46] <rpayn422> need for a method without using IPv6?
[11:48:03] <rpayn422> oops, s/ipv6/IPsec
[11:49:32] --- hkruse has left: Disconnected
[11:50:08] <rpayn422> charles perkins- problem with id option; sequence number with update prevents replay attack so the outlined option is unnecessary. share with IPv4
[11:50:12] <rpayn422> mipv4
[11:51:15] --- yonuts has joined
[11:51:48] <rpayn422> mic: 3GPP nodes don't support IPsec, if you can't unforce the decision to require IPsec, this will not be usable by these nodes
[11:51:56] --- yonuts has left
[11:54:02] <rpayn422> (missed quiet comments)
[12:00:21] <rpayn422> is anyone able to capture any of this?
[12:00:21] <peterd> Q: Getting to issues with time synchro, if we are half a second of things won't work anymore
[12:01:43] <rpayn422> mic: timestamp-based replay would be desirable rather than just sequence-id
[12:02:12] <rpayn422> carrier would like ability to choose
[12:02:49] <peterd> Pete Mcan(?) - 3gpp2 wouldn't need to use IPsec, something that was lost, there does seem to be a dependency between route optimization and IPsec.
[12:05:03] <rpayn422> mic: current application deployment switching back to mipv4 style authentication b/c IPsec-based authentication is not-deployable
[12:06:31] <rpayn422> mic: draft text need, for re-keying, new key mgmt protocol?
[12:06:41] --- vm has left: Disconnected
[12:06:50] <rpayn422> mic: not a new protocol, just use shared secret for creating session keys
[12:08:44] <peterd> mic: there is a need for security experts to read the draft. There is nothing in the speakers view that is a issue. If there is nothing broken the WG should put this on the fast track
[12:10:36] <peterd> Consensus call in the room for how many people support 30 or so have read the draft - 30 to 40 support the standardization in addition to the ipsec solution
[12:10:40] --- norifmi has left: Replaced by new connection
[12:11:24] <peterd> 15 or so against this method in addition to IPsec for securing binging updates
[12:13:07] <peterd> This consensus is on this draft only and would not close the door on other authentication mechanisms
[12:14:25] --- norifmi has joined
[12:15:45] <peterd> mic: are the current IPsec specs to heavy for the market to accept them?
[12:19:43] <rpayn422> mic: not a clear consensus on the vote, based upon the number of hands raised compared to the number of people present
[12:19:52] --- inet6num has joined
[12:20:19] --- mocmobile has left: Disconnected
[12:20:24] --- inet6num has left
[12:20:36] --- fp has joined
[12:21:38] --- jishac has left
[12:21:51] --- jishac has joined
[12:23:20] --- admcd has joined
[12:25:55] <rpayn422> charles: re: NAI, not comfortable with making this defacto Internet identifier
[12:27:25] <rpayn422> mic: to make unique, optimal identifier for creating a dynamically home address
[12:29:16] <rpayn422> slide: why NAI? is a mobility service enabler; provides authenticaiton interface to the AAA, simple to allocate a mobility anchor point, allows dynamic allocation of IP address, provides unique identity to users, presents the user to the network, not his/her devices
[12:30:11] <rpayn422> CH: general problem - finally published a spec for MIPv6, currently adding new requirements for implementers for MN; destabilizing the specs that have been standardized
[12:30:30] <rpayn422> chair: disagree, will make this simpler to deploy
[12:31:45] <rpayn422> mic: lots of MN will have a unique identifier that does not fit in this framework
[12:33:58] --- peterd has left: Disconnected
[12:34:02] --- lucioslayer has left
[12:34:04] <rpayn422> will take the question of whether or not there is consensus for this, to the list
[12:34:11] <rpayn422> new presenter:
[12:35:06] --- rpayn422 has left
[12:35:14] --- peterd has joined
[12:35:21] --- admcd has left
[12:35:44] <peterd> Preconfigured Kbm between Mobile and CN
[12:36:11] <peterd> Testing Care-of address
[12:40:07] --- wivancic has joined
[12:41:24] <peterd> mic: has proposed a different solution
[12:42:26] --- wivancic has left: Replaced by new connection
[12:42:50] <peterd> mic: would like to have 2 documents, on if you do have care of address and when we you do not
[12:47:12] <peterd> new speaker:
[12:47:32] <peterd> Manual IPsec Keying for Mobil IPv6 - mostly informational/summary of conversations
[12:47:58] <peterd> iRFC 3775 requires support for both manual and dynamic IPsec keying
[12:48:32] <peterd> iWhat is dynamic keying? IKE, Any protocol that can negotiate a security association?
[12:48:46] <peterd> Has IETF created an impression that there??
[12:48:55] <peterd> (lost at slide change)
[12:49:08] <peterd> iMibile IPv6 in 3GPP2
[12:51:28] <peterd> mic: 2 things unclear - AES is block cipher, so why do you suggest it is a steam cipher?
[12:53:29] --- wivancic has joined
[12:55:01] <peterd> new speaker
[12:55:38] <peterd> 2 people steped to the mic to agree
[12:55:41] <peterd> new speaker
[12:56:09] <peterd> Solution for bootstrapping Mobile IPv6 relying on AAA infastructure
[12:57:25] <peterd> No changes need to change access equip
[12:57:41] --- wivancic has left: Replaced by new connection
[12:58:03] <peterd> Both RADIUS and Diameter can be used between NAS and AAA infrastructure
[12:58:24] <peterd> MN-HA IPsec SA can be setup from the keying material exported bu the EAP method
[12:58:33] <peterd> Could be used also over IKEv2 ...
[12:58:55] <peterd> <chart on screen> Requirements on EAP methods
[12:59:00] <peterd> Next steps
[12:59:18] <peterd> Extensions of the ID with support for IKE authentication methods other than PSK
[12:59:29] <peterd> Specification of the AAA-HA interface
[13:00:01] <peterd> Definition of an AMSK(?)
[13:00:03] --- wivancic has joined
[13:00:07] <peterd> new speaker
[13:00:15] <peterd> IPsec between MN and CN
[13:00:57] <peterd> Some people dont believe that the return routability procedure provides enough security
[13:01:17] <peterd> Implicit applicability
[13:01:30] <peterd> IPsec and IKE profiles ( use home address)
[13:01:40] <peterd> Strong proof of origin
[13:02:04] <peterd> Get the triangular routing back for free ( home address option validation )
[13:02:23] <peterd> Protect the mobility signing for the routing optimizations
[13:02:53] <peterd> <missed some bullets>
[13:03:09] <peterd> State-cookie mechanism for care of address text
[13:03:39] <peterd> Conclusion: give a new reference point for routing optimization security
[13:04:41] <peterd> Questions, should this be a WG item?
[13:05:03] <peterd> Separate doc for the cookie based care of address test?
[13:05:40] <peterd> New speaker
[13:05:54] <peterd> Origination
[13:06:04] <peterd> Problem statement: Load Balancing
[13:06:37] <peterd> DHAAD can only be used for stationary load balancing among multiple HA's
[13:06:46] <peterd> No proactive notification message
[13:06:49] <peterd> Solution
[13:07:17] <peterd> Not only the MN's registration information but also the tunneled data traffic information will be used for dynamic load HA
[13:07:17] --- wivancic has left: Disconnected
[13:07:27] <peterd> Extend home agent list
[13:08:11] --- sakai has joined
[13:08:31] --- weddy has left
[13:10:04] <peterd> mic: not sure if the WG needs a solution for load balancing in mipv6 right now
[13:10:37] <peterd> mic: bootstrap can be considered a means for load balancing
[13:11:29] <peterd> new speaker
[13:12:26] --- brabson has left
[13:16:34] --- avri has left: Disconnected
[13:16:43] --- fp has left
[13:17:56] --- jishac has left: Replaced by new connection
[13:17:57] --- jishac has joined
[13:18:11] <peterd> Applying CGA to optimize Mobile IPv6
[13:18:38] <peterd> based on Mike Roes work from 2001 and Wassims original OMIPv6 work
[13:28:02] <peterd> Next session at 5 - 6 today.
[13:28:24] <peterd> 2 presentations that were missed in this session will be given then
[13:28:34] --- peterd has left
[13:28:44] --- sakai has left
[13:30:29] --- tskj has left
[13:32:32] --- jishac has left
[13:46:12] --- norifmi has left: Disconnected
[13:47:21] --- masahiro has left: Disconnected
[13:48:56] --- ohira has left: Disconnected
[14:57:26] --- norifmi has joined
[15:25:33] --- avri has joined
[17:10:11] --- norifmi has left: Replaced by new connection
[17:10:12] --- norifmi has joined
[17:10:12] --- norifmi has left
[17:12:14] --- avri has left: Disconnected
[17:36:26] --- avri has joined
[17:51:12] --- masahiro has joined
[17:52:37] --- masahiro has left
[18:40:58] --- xfp has joined
[18:44:18] --- avri has left: Disconnected
[18:49:34] --- brabson has joined
[18:50:18] --- xfp has left
[18:52:48] --- wag has joined
[18:53:02] --- masahiro has joined
[18:54:04] --- Suresh Krishnan has joined
[18:54:49] --- wag has left
[18:55:01] --- arador has joined
[18:58:58] --- mallman has joined
[18:59:13] --- mallman has left
[19:02:13] --- toro_toro has joined
[19:07:50] --- toro_toro has left
[19:08:54] --- brabson has left
[19:10:50] --- toro_toro has joined
[19:13:30] --- toro_toro has left
[19:15:15] --- arador has left
[19:18:10] --- droms has joined
[19:20:24] --- avri has joined
[19:20:40] --- touchwood has joined
[19:32:37] --- droms has left
[19:37:19] --- toro_toro has joined
[19:47:01] --- Suresh Krishnan has left
[19:47:01] --- toro_toro has left: Disconnected
[19:50:50] --- toro_toro has joined
[19:51:45] --- toro_toro has left
[19:53:31] --- touchwood has left
[19:59:36] --- avri has left: Disconnected
[20:30:12] --- masahiro has left: Disconnected
[23:08:59] --- masahiro has joined