[13:44:41] --- rik wade has joined
[14:36:35] --- admcd has joined
[14:43:01] --- loughney has joined
[14:58:31] --- mlshore has joined
[14:59:44] <loughney> can someone be the jabber scribe? Full text reporting not needed.
[14:59:58] <rik wade> thanks, john, I was just about to ask the same
[15:00:36] --- Fred Baker has joined
[15:00:56] <Fred Baker> I wlil be the jabber scribe
[15:02:11] <Fred Baker> starting meeting 13:14
[15:02:31] <Fred Baker> Agenda: bashing, GIMPS, Applicatoin Statement
[15:02:46] --- sakai has joined
[15:03:02] <Fred Baker> List of posted drafts - NAT/Firewall traversal, security, intra-realm considerations
[15:03:29] <Fred Baker> Tuesday to discuss QoS and accounting.
[15:04:37] <Fred Baker> Have requested publicatoin of signaling document.
[15:05:05] <Fred Baker> Last call completed on security properties
[15:05:21] <Fred Baker> trheat analysis in last call. Will get sent in with framework docuent
[15:06:06] <Fred Baker> proposed new work in mobility, diffserv resource managemen, and ths QoS-NSLP QSpec. Discussion on the list
[15:06:57] <Fred Baker> first session: GIMPS protocol. Intended to be 15 minutes.
[15:07:10] --- Jukka Manner has joined
[15:07:28] <Fred Baker> Robert Hancock presenting
[15:08:59] <Fred Baker> Status: -02 versoin closed some detail issues and added new material describing service interface and so on.
[15:09:15] <Fred Baker> There is also a initial proposal on protocol negotiation etc
[15:09:33] <Fred Baker> -03 version (current) not dunctionally different but more detail.
[15:09:39] <Fred Baker> 2 major issues
[15:09:40] --- dinakar has joined
[15:09:54] <Fred Baker> first issue: Connection Mode Protocol Configuration
[15:10:19] <Fred Baker> How should the attributes of the connect be negotiated?
[15:10:51] --- dlpartain has joined
[15:11:06] <Fred Baker> security protocol introduces new vulnerabilities. Proposed strategy (many options) is to go with something simple that works and postpone extensions
[15:11:16] <Fred Baker> section 6.6 covers this issue
[15:12:04] <Fred Baker> slide provides overview of negotiation - 3-way handshake. Addressing adds informaiton objects.
[15:12:23] <Fred Baker> Concern from interim: too flexible, make some decisions
[15:13:25] <Fred Baker> Approach: define transport attributes more precisely (4.1) - can be reliable or not, reliable messages delivered in order, prioritization influences node-local scheduling
[15:13:41] <Fred Baker> negotiation = discovery of peer capabilities
[15:14:41] <Fred Baker> Next step - is everyone happy? If so, refine and make it happen (sections 8.5 and 8.6 go away). UDP in one direction, TCP in the other direction.
[15:15:13] <Fred Baker> Chair speaks:we need to resolve this, please use the mike
[15:15:55] <Fred Baker> ?? at mike: concerned about race conditions.
[15:16:09] <admcd> cedric aoun at mike
[15:16:10] <Jukka Manner> that was cedric
[15:16:32] <Fred Baker> Robert: we need to discuss race conditions in the presence of a white board.
[15:17:05] --- Tom Phelan has joined
[15:17:10] <Fred Baker> Bob Braden: reliable delivery imposes delay, and packet exchange overheads (same concern as raised in using TCP for BGP).
[15:17:57] <Fred Baker> Robert: we like simple approaches, and want therefore to use existing mechanisms rather than defining a new transport. Many issues around application failure that this won't solve.
[15:18:21] <Fred Baker> Rudiger - wants cost/benefit analysis for prioritization of calls.
[15:18:39] <Jukka Manner> "Rudiger Geib"
[15:19:07] <Fred Baker> Robert: it is not prioritization of calls, it is prioritization of messages, and therefore reordering.
[15:19:30] <Fred Baker> second issue: Message/Protocol Extensibility sectoin 8.11 and appendix C
[15:20:08] <Fred Baker> intended to have lots of commonality among messages, basically TLVs in a flat space. Intended to encourage commonality of processing.
[15:20:17] <Fred Baker> Someone needs to define the TLV.
[15:21:46] <Fred Baker> Question - in various uses of various protocols, adding an object can materially change the nature of the request (add a given object in RSVP and it becomes MPLS Traffic Engineering). It would be nice to be able to say "if you don't understand this object, you sohuld not accept the message".
[15:22:03] <Fred Baker> Looking for experienced folks in the area of protocol extensibility.
[15:22:23] --- rik wade has left: Replaced by new connection
[15:22:24] --- rik wade has joined
[15:22:33] <Fred Baker> Chair comment: should be modeled as a transport protocol extension, not an application extension. Asking for AD comments.
[15:22:59] <Fred Baker> Allison: Allison plans to really think about this, as RSVP in this area suffered.
[15:24:05] <Fred Baker> Allison: Not really a transport problem only, and not really applicatoin only. This will require skull work.
[15:24:37] <Fred Baker> Proposal for extensibility flags: "Critical", "Propagate", and "Refresh"
[15:25:54] <Fred Baker> Bob Braden: discussing IANA procedures of how to add classes and attributes. Basically, it is hard to add peicemeal, need a design up front.
[15:26:12] <Fred Baker> Madly pages through slides...
[15:26:59] <Fred Baker> Robert: believes that basic protocol is clear, looking for API validation and wants to add detail on certain issues. Really wants feedback.
[15:28:31] <Fred Baker> Status after San Diego - write code, looking for volunteers, and looking for a timetable for a WG snapshot
[15:28:59] <Fred Baker> Rudiger Geib: not clear to him how to implement given the number of options in the protocol.
[15:29:28] <admcd> GIMPS slides are at: http://nsis.srmr.co.uk/~reh/draft-ietf-nsis-ntlp-03.ppt
[15:29:46] <Fred Baker> Robert: wants to know what is easy or hard. Notes that he has not thought very hard about implementation issues.
[15:30:41] <Fred Baker> Also trying to figure out the best way to structure the spec. for example, RSVP had separate document for processing rules.
[15:30:45] <Fred Baker> Moving on...
[15:30:58] <Fred Baker> Applicability Statement for NSIS in Mobile Environements
[15:31:08] <Fred Baker> Lee presenting
[15:32:28] --- Tom Phelan has left
[15:32:40] <Fred Baker> mobility presents a number of issues - latency in route changes, encapsulations, session ownership, and so on.
[15:34:53] <Fred Baker> Specific issues with NTLP: detecting route changes in uplink/downlink problematic, inter-layer interactions, where to do CRN discovery, and how does this fit with encaps?
[15:35:23] <Fred Baker> Also details of intervals after changes before something happens.
[15:37:21] <Fred Baker> Future work: consolidate the list of open issues, define design choices, evaluate, and so on.
[15:38:24] <Fred Baker> Ridger Geib: It might be worth looking into the reality of the protocol. Chair comments that the protocol is likely to be experimental.
[15:39:07] <Fred Baker> Side comment - this disn't sound like an applicability statement to me, it sounded like a protocol development...
[15:39:31] <Fred Baker> third draft: NAT/Firewall traversal, Cedric Acoun
[15:40:10] <Fred Baker> Historical note: there have been a lot of drafts, and work has directly affected this main document.
[15:41:09] <Fred Baker> Editorial changes: author thinks it is more readable, security disucssion in one section, and new terminology defined: "opportunistic address"
[15:41:26] <Fred Baker> Tried to optimize number of messages and message processing.
[15:43:42] <Fred Baker> added policy rules - need feedback from WG as they don't know if it is what is needed. new response-type object is to detail policy-specific responses.
[15:45:19] <Fred Baker> detailed slide on NAT traversal. My ASCII Art is good, it's not that fast though...
[15:46:33] <Fred Baker> "trigger" extension: when receiver gets more info about sender, it sends trigger message to feed to firewall and change the pinhole route appropriately.
[15:47:47] --- loughney has left
[15:47:50] <Fred Baker> explored hop by hop refresh (like RSVP); decided to stay with end to end refresh messages. Issue is lifetime of state.
[15:49:24] <Fred Baker> Document updates: you know you are the last NTLP node if you get no response from someone beyond you. Processing rules added for the case.
[15:50:10] <Fred Baker> Second update: issues of routing changes, and malicious spurious announcement of such.
[15:51:18] <Fred Baker> Concerned about DOS attacks using NSLP discovery procedures.
[15:53:20] <Fred Baker> Discussion about placing security issues in NLTP or NSLP; the sense is that it makes more sense at the higher protocol, but there are some issues with doing that as well.
[15:53:31] --- Jukka Manner has left
[15:53:42] --- Jukka Manner has joined
[15:54:08] <Fred Baker> Chair suggests that "making the hard choices" is in order - need to decide whether to fish or cut bait.
[15:56:04] --- dlpartain has left
[15:56:27] <Fred Baker> Open issue on "trigger" - no comments on list. Author likes the flexibility but is asking about when the triggers are required, or are they at implementatoin's optoin?
[15:57:53] <Fred Baker> comment at mike: there have been issues (mobile ip) on this on the mailing list
[15:58:54] <Fred Baker> "twice NAT" - sometimes flows are assymetric through two NATs into the same domain. numerous issues here.
[15:59:44] <Fred Baker> Next draft: path-coupled NAT/Firewall signalling security problems
[16:00:02] <Fred Baker> Hannes Tschofenig
[16:00:20] --- Suresh Krishnan has joined
[16:00:56] <Fred Baker> authors looking for comments and issues. Would like to reuse existing security protocols/procedures where possible.
[16:02:49] <Fred Baker> reuse readily shown useful at lower layers. Higher layers - not as obvious, and not worked out.
[16:03:12] <Fred Baker> Seeking "Sender invariance"
[16:05:40] <Fred Baker> Author suggests that NAT signalling has fewer security constraints than other options. There are many firewall traversal options, and they are generally highly constrained or drop security altogether.
[16:06:08] <Fred Baker> End-to-end security - thinks that association between application and NSIS security is advisable.
[16:07:36] <Fred Baker> ISsues exist in assymetry of security protocols.
[16:08:37] <Fred Baker> Interested in using offloaded AAA procedures for firewall traversal.
[16:09:09] <Fred Baker> next steps: lloking for mailing lists commentary
[16:09:47] <Fred Baker> next draft: threat analysis document.
[16:10:12] <Fred Baker> Identifiies NATFW NSLP threats. States requirements, but proposes no solutions.
[16:10:40] <Fred Baker> many attacks - AAA, DOS, M-i-M, Message Modification, etc.
[16:11:39] <Fred Baker> AAA attack: initiator in other network, coming to user within network across firewall. One could simply send to receiver, but operator may not trust foreign users (why have a firewall?)
[16:12:03] <Fred Baker> no way to bind AAA to IP addresses.
[16:12:16] <Fred Baker> status: please read and comment.
[16:13:04] <Fred Baker> next draft: BATFW NSLP deployment/intergation considerations
[16:13:29] <Fred Baker> Migration requirements (updated migration draft).
[16:13:44] <Fred Baker> Case: end host supports NATFW but NAT/FW does not...
[16:13:59] <Fred Baker> not supported...
[16:16:08] --- loughney has joined
[16:16:16] <Fred Baker> NSIS unaware firewalls are really an issue. If firewall is aware, most issues work.
[16:16:45] <Fred Baker> Issue: responder with several IPv4 and/or IPv6 addresses.
[16:17:55] <Fred Baker> existing address selection mechanisms don't work, as we don't know what is local and what is global, and we don't know whether an address that is local in my domain is in fact in my domain..
[16:19:17] <Fred Baker> draft-*-nsis-*-interrealm*.txt: one wants to count NATs traversed and choose path with least nuber of NATs.
[16:20:18] <Fred Baker> Basically need help from NAT to understand routing through NAT
[16:21:01] <Fred Baker> Done for today...
[16:21:10] --- loughney has left
[16:21:11] <rik wade> thanks, Fred.
[16:21:32] --- rik wade has left
[16:22:12] --- Fred Baker has left
[16:23:42] --- mlshore has left
[16:30:32] --- sakai has left
[16:30:38] --- admcd has left
[16:33:40] --- dinakar has left
[16:33:55] --- Jukka Manner has left
[17:17:19] --- Suresh Krishnan has left: Disconnected
[17:18:04] --- Suresh Krishnan has joined
[17:19:14] --- Suresh Krishnan has left
[18:49:50] --- danwing has joined
[18:55:37] --- danwing has left