[09:56:57] --- davidbnelson has joined
[09:58:29] --- alexis.hildebrandt has joined
[09:59:48] --- david.mark.jones has joined
[10:00:22] <davidbnelson> review of document status
[10:01:01] <davidbnelson> location attributs, needs a message to the ADs indicating comments have been resolved
[10:01:14] --- david.mark.jones has left
[10:01:39] <davidbnelson> hannes on filtering, has a question on the list wrt extensibility
[10:02:02] <davidbnelson> gets inherited in Diameter, as well
[10:02:04] --- dromasca has joined
[10:02:36] <dromasca> i am the jabber lurker, if anybody has questions we'll relay
[10:02:37] <davidbnelson> should become a formal issue?
[10:03:13] <davidbnelson> alan dekok prso on issues & fixes (slides are on teh IETF meting materials site)
[10:04:16] <davidbnelson> issue on retransmit timers, fix it to lift text from PANA
[10:05:07] <davidbnelson> -05 revision on the archive as of yesterday
[10:05:29] <davidbnelson> clarificationon caching of requestes and responses
[10:06:15] <davidbnelson> clients should use message authenticator attr in all messages
[10:06:46] <davidbnelson> unknown rejects should be configureable?
[10:06:58] <davidbnelson> its a must elsewhere...
[10:10:00] <davidbnelson> may have further discussion in the contect of the extended attributes
[10:10:23] <davidbnelson> ask everone to read this, ther may be changes that have wide impact
[10:10:45] <dromasca> re-submit 05 to the iesg
[10:11:48] <davidbnelson> PANA made some changes to the retransmission text yesterday... do we ned to pick this up?
[10:12:52] <davidbnelson> mauricio sanchez preso on traffic rules
[10:13:17] <davidbnelson> hannes - should we extend the WGLC since it was close to the IETF meeting time?
[10:14:14] <davidbnelson> issue with re-authorization in the HTTP re-direction case
[10:14:52] <davidbnelson> proposed a version number, so that the semantics could be extended by upping the version number
[10:15:14] <davidbnelson> hanes - how do we know which versions are supported?
[10:16:18] <davidbnelson> right now it is a monolithic approach, all prior ABNF would need to be carried along
[10:16:53] <davidbnelson> capability feature has been removd
[10:18:59] <davidbnelson> glen - get rid of the BSD format, as put it into an extened attribute
[10:19:25] <davidbnelson> glen - string parsing is unpopular ans CPU intensive
[10:20:06] <davidbnelson> hannes - encode is different atributes instead of in a string, the approach taken in Diameter
[10:21:09] <davidbnelson> take the discussion to the list, send a pointer to the Diameter draft
[10:21:35] <davidbnelson> glen - Diameter way of doing things is broken, don't need to follow this precedent
[10:22:13] <davidbnelson> hannes - how to represent the filters in a compact way
[10:22:41] <davidbnelson> mauricio - didn't really investigate other encoding schemes
[10:22:58] <davidbnelson> extend WGLC to Monday, plese read the document
[10:23:21] <davidbnelson> hannes - if we change the encoding, it not a minor WGLC issue
[10:23:43] <davidbnelson> bernard - we decided to follow what DIME WG is doing
[10:24:28] <davidbnelson> hannes -- not sure what the right thing to do is
[10:33:25] <davidbnelson> try to resolve in DIME ans dthen f changes, another WGLC in both WGs
[10:33:44] <davidbnelson> glen zorn - preso on extened attributes
[10:37:56] --- jtest1a has joined
[10:38:31] --- jtest1a has left
[10:38:50] <davidbnelson> alan dekon - iplmementaion question about fragmentation bits, must be contiguous, not scatter/gather
[10:39:21] <davidbnelson> bernard aboba - implication as to whether we can ignore attributes that are not understood?
[10:39:57] <davidbnelson> bernard - different from standrd space as clarified in issues and fixes
[10:40:10] <davidbnelson> glen - should edfine th same behavior of standard attribtes
[10:41:17] <dromasca> david nelson - zero poisoned value as oid?
[10:41:26] <dromasca> glen - seems to be allowed
[10:41:44] <davidbnelson> bernard - whave consensus to make this a WG work item
[10:42:08] <davidbnelson> bernard - preso on WLAN attributes
[10:42:34] <davidbnelson> got rid of two atributes SSID and Allowed SSID
[10:43:07] <davidbnelson> reviewed in 802.11
[10:43:29] <davidbnelson> added EAP lower layer attribute
[10:43:44] <davidbnelson> asked folks in 802.1af to look at this
[10:43:56] <davidbnelson> support 802.11r and maybe some others
[10:44:19] <davidbnelson> alan dekok - what to do with EAP fragments?
[10:44:45] <davidbnelson> bernad - handled in 3579?
[10:45:20] <davidbnelson> authenticator knows max size but per doesn't
[10:46:06] <davidbnelson> bernard - preso on design guidelines
[10:46:14] <davidbnelson> new doc editor, alan dekok
[10:46:26] <davidbnelson> focused on data model only, not extensions
[10:47:53] <davidbnelson> daan romanascanu - distinction betwen SDOs and vendors?
[10:48:16] <davidbnelson> bernard - ther eis some archaic language
[10:50:12] <alexis.hildebrandt> What does SDOs stand for?
[10:50:30] <davidbnelson> Standards Development Organization
[10:50:55] <alexis.hildebrandt> Ah, thank you.
[10:54:46] <davidbnelson> do we have an idea of the popular formats of VSAs?
[10:55:31] --- bew has joined
[11:00:08] --- davemitton has joined
[11:03:06] <davidbnelson> dan romanscanu - using the term SDO. doficult to make a clar distinction betwen SDO, industry forum, individual vendor.
[11:03:30] <davidbnelson> bernard - how does it work with SNMP?
[11:04:39] <davidbnelson> dan - two issues. There is IETF as the rest of the world.
[11:05:24] <davidbnelson> recommendatons follow ths model, used non-IETF instead of SDO. Vednors have never asked for MIB review.
[11:05:45] <davidbnelson> encourage other SDOs to do thise own mibs
[11:06:40] <davidbnelson> if it s not an order of magniture higher work laod, we maybebe able go that way.
[11:15:39] <davidbnelson> dave nelson - not about which attr space but about using a common data model
[11:16:15] <davidbnelson> bernard - next steps, new version docu, put out for WG review, acept as Wg work item, and then WGLC
[11:17:05] <davidbnelson> dan romnaascanu - pool now as to WG DOC?
[11:17:18] <davidbnelson> in the room seems yes
[11:24:15] --- ldondeti has joined
[11:27:31] <davidbnelson> alan dekok preso on RADIUS over DTLS
[11:27:58] <davidbnelson> bernard - can radius vs dtls request on the same port be distinguishd?
[11:28:02] <davidbnelson> alan - yes
[11:30:03] <davidbnelson> joe salowey - client code example, is serevr equiv?
[11:30:34] <davidbnelson> alan - need to look at the packets, for intila dtls packet need to make a distinction, then rememebr that in teh mux
[11:31:10] <davidbnelson> alan - more work to to on the server in teh mux
[11:31:39] <davidbnelson> scott kelly - has implementd tls onto radius, did not find it all that onerous, for or againt?
[11:31:47] <davidbnelson> alan - i'm proposing it
[11:32:17] <davidbnelson> soct - crypto acceleration, can use offload cards, not that onerous
[11:32:41] <davidbnelson> scot - thre are isues with the open ssl implementation, mtu problem
[11:33:17] <davidbnelson> bernard - radius packet size decreases to the mtu?
[11:33:29] <davidbnelson> scott - yes, would need to be addressd
[11:34:24] <davidbnelson> joe salowey - preso on keywrap
[11:37:34] <davidbnelson> bernard - question about diference betwen egenric data encryption vs. a key wrap
[11:37:57] <davidbnelson> joe -- a key wrap relies on the randomness of the payload for its securiy properties
[11:38:04] <davidbnelson> bernad converse?
[11:38:38] <davidbnelson> joe - generic data encryption probably coudl be used for wrapping keys, but NIST has a preference for AES Key Wrap
[11:38:58] <davidbnelson> hannes -- what about traversing intermediate nodes.
[11:39:14] <davidbnelson> joe - probably used in hop-by-hop mode
[11:40:04] <davidbnelson> hannes - dtls usage is obviously hop-by-hop, Diameter CMS work is in the same usage space
[11:40:21] <davidbnelson> bernad - Diameetr CMS is a different issue
[11:41:50] <davidbnelson> glen - scope of proposal is limited by trust relationships
[11:42:06] <davidbnelson> glen - not going to build a key management system for radius
[11:42:41] <davidbnelson> hannes - need to know if the reccipient knows the identities
[11:43:15] <davidbnelson> dan harkins - what is the point of the IV?
[11:43:38] <davidbnelson> joe - don't need it for randomness, the key wap ID asys it shoudl be used.
[11:43:44] --- dromasca has left
[11:44:22] <davidbnelson> dan - what is the point ot the randomizer?
[11:44:30] <davidbnelson> joe - not all messages contain keys.
[11:45:06] <davidbnelson> joe - recommended to use message authentication when using key wrap, but cna be used separately
[11:45:46] <davidbnelson> dan - enforce the mandatory nature of soem of tehse featres
[11:46:22] <ldondeti> no need to include the IV if we use key wrap; we can always use CBC with an IV if we have the space
[11:46:49] <ldondeti> space == if commn overhead not an issue
[11:47:39] <davidbnelson> don't specify a key management scheme, but it could be used with one
[11:47:55] <davidbnelson> application id specifies what the key shoudl eb used for
[11:48:25] <davidbnelson> generic attr encr is similar, but all unde a sungel attr
[11:48:48] <davidbnelson> bernad - separate algorighms ans keys?
[11:48:57] <davidbnelson> joe - possible
[11:49:07] --- vidya has joined
[11:49:22] <davidbnelson> dan harkins - unspecified fields are a giant covert channel
[11:49:42] <davidbnelson> joe - may be able to be adjusted with the extened attribute work
[11:50:01] <davidbnelson> dan - not defined. so ow do you interoperte
[11:50:18] <davidbnelson> joe - program the keys along with the key ids int eh endpoints
[11:50:33] <davidbnelson> glen - its primitive but its hat we do now
[11:53:10] <davidbnelson> hannes - operatord just don't use end-to-end security
[11:54:16] <davidbnelson> glen - tls or dtls don't provide key management, either
[11:54:38] <davidbnelson> hannes - key managment is not magic
[11:54:53] <davidbnelson> keymangement fo rtls is something that folsk have libraries for\
[11:54:53] --- ldondeti has left: Disconnected.
[11:55:37] <davidbnelson> steve hanna - question for alan what key management
[11:55:56] <davidbnelson> alan - epends on what implemention, open fo rdiscussion
[11:56:07] <davidbnelson> steve - tls already has this
[11:56:38] <davidbnelson> steve - key management doens't ned to be an issue with dtls
[11:56:59] --- ldondeti has joined
[11:57:09] <davidbnelson> bernard - what is the isue with dtls asn fragmentation?
[11:57:41] <davidbnelson> scott kelly - shortcoming in the spec, no reassembly defined, can do it yourself int eh mux
[11:59:12] <davidbnelson> steve hanna - better to re-use an existing security mechanism, radius does not have a good track record
[11:59:56] <davidbnelson> glen zorn - said the same thing years ao wrt l2tp and ipsec, it was s disaster
[12:01:04] <davidbnelson> dan harkins - aes key wrap not inventing, but rather re-using, key wrap and dtls are equally non new
[12:01:26] <davidbnelson> steve - maye want to ask for security area review
[12:01:29] <davidbnelson> second that
[12:01:49] <davidbnelson> talk to stefan after his preso on radsec
[12:04:10] <davidbnelson> stefan winter preso on radsec (radius over tls)
[12:07:50] <davidbnelson> bernard - assuming cert basd authentication?
[12:08:00] <davidbnelson> stefan - our implementaion does
[12:08:11] <davidbnelson> bernad - use dymanic DNS?
[12:08:16] <davidbnelson> stefan - an option
[12:11:10] --- frank has joined
[12:13:36] <davidbnelson> hannes -- defending Diameter
[12:16:30] --- frank has left
[12:16:53] <davidbnelson> glen - marginally familiar, tcp connections are betwen realms, not to local nases?
[12:17:03] <davidbnelson> stefan - has trid it on nases
[12:17:53] <davidbnelson> steve hanna - any problems with the tls conentions?
[12:18:17] <davidbnelson> stafan - down sever can og undetected, measn to chekc peer liveness
[12:19:41] --- bew has left
[12:21:56] <davidbnelson> dan ronascanu - ad comments, there may be room to discuss the charter prohibition if the WG wants to go forward with radesc
[12:22:18] <davidbnelson> dan - positioning of hte work inteh broaer envionment as clash with Diamter
[12:22:35] <davidbnelson> dan - concern with clashes with other work in the ietg
[12:22:55] <davidbnelson> can be an issue even onthe independnedt submission track
[12:23:04] <davidbnelson> all thre proposals have open issues
[12:23:13] <davidbnelson> dtls no deployment
[12:23:31] <davidbnelson> in band key management neds sec area revirew
[12:24:00] <davidbnelson> tls needs to be reviewed outside the eduroam usage
[12:24:12] <davidbnelson> kep all alive ans revisit next ietf
[12:24:29] <davidbnelson> dan romansacanu - yes but there are time pressures
[12:25:08] <davidbnelson> glen - hostile to changing the charter for this proposal
[12:26:01] <davidbnelson> glen - has ben reviewed ny jim shand ans rus housley
[12:26:21] <davidbnelson> lakshimnath- waitig to net meeting not good
[12:27:25] <davidbnelson> lak. hokey work needs key wrap
[12:29:21] <davidbnelson> hannes - propose to take key wrap ans build key managemetn using devivation of dtls work negotiate cipher suite in dtls handshake to keywrap
[12:29:56] <davidbnelson> alan- no objection to hannes' proposal
[12:34:00] --- ldondeti has left: Disconnected.
[12:34:07] <davidbnelson> end of meeting
[12:34:13] --- davidbnelson has left
[12:34:54] --- davemitton has left
[12:38:06] --- alexis.hildebrandt has left
[12:42:28] --- vidya has left