IETF
saag
saag@jabber.ietf.org
Thursday, November 16, 2017< ^ >
hernani has set the subject to: SAAG AT IETF100 https://datatracker.ietf.org/meeting/100/agenda/saag/
Room Configuration
Room Occupants

GMT+0
[03:08:24] metricamerica joins the room
[04:05:22] metricamerica leaves the room
[04:40:37] Yoshiro Yoneya joins the room
[05:19:41] meetecho joins the room
[05:20:49] metricamerica joins the room
[05:25:13] John Border joins the room
[05:25:13] Kaoru Maeda joins the room
[05:25:13] Lorenzo Miniero joins the room
[05:25:13] Edward Lopez joins the room
[05:25:13] HAJIME WATANABE joins the room
[05:25:13] Ronald Tse joins the room
[05:25:13] Phillip Hallam-Baker joins the room
[05:25:13] Daniel Wyatt joins the room
[05:28:58] synp joins the room
[05:30:31] Brian Campbell joins the room
[05:31:40] sftcd joins the room
[05:32:53] Ronald Tse leaves the room
[05:32:54] Ronald Tse joins the room
[05:33:03] <Phillip Hallam-Baker> ermmm,,
[05:33:21] m&m joins the room
[05:34:12] Melinda joins the room
[05:34:46] Sean Turner joins the room
[05:35:17] Satoru Kanno joins the room
[05:35:26] richard.barnes joins the room
[05:35:32] Samuel Weiler joins the room
[05:35:33] Francisco Arias joins the room
[05:35:45] <synp> Hi, I will be your Jabber scribe. If you are remote and want something relayed to the room microphone, please prefix it with "mic:"
[05:36:40] kadukoafs@gmail.com/barnowlEBF84E62 joins the room
[05:36:44] whatdafuq joins the room
[05:37:43] Edward Lopez leaves the room
[05:37:46] Edward Lopez joins the room
[05:38:14] synp has set the subject to: SAAG AT IETF100 https://datatracker.ietf.org/meeting/100/materials/agenda-100-saag/
[05:38:35] kathleen.moriarty joins the room
[05:39:11] Mingliang Pei joins the room
[05:39:55] wseltzer@jabber.org joins the room
[05:40:20] <kathleen.moriarty> Can I get one more volunteer for minutes for the SecDispatch section of the meeting?
[05:40:43] <kathleen.moriarty> Having 2 for that could be very helpful.
[05:41:16] <wseltzer@jabber.org> I can help out in the etherpad
[05:41:18] <richard.barnes> Is it really true that the source AS isn’t under attack for things like reflection attacks?
[05:41:59] <kathleen.moriarty> We'll have about 10 minutes for questions and he is very interested in feedback/questions
[05:42:11] <kathleen.moriarty> THANK YOU, Wendy!
[05:42:14] <Melinda> I'm taking notes but I'm not using etherpad.  When I get a chance I'll paste what I've got in
[05:42:54] <kathleen.moriarty> It's fine to have it separate.  THANK YOU, Melinda!
[05:43:04] <synp> *** Are remote participants seeing the slides OK, or do you need me to call out slide numbers?
[05:43:19] francesca joins the room
[05:44:15] Yoshiro Yoneya_5429 joins the room
[05:46:53] <Ronald Tse> I'm remote and I can see the slides properly
[05:48:45] <kadukoafs@gmail.com/barnowlEBF84E62> Wow, today really is dedicated to middleboxes, isn't it.
[05:50:57] <Edward Lopez> multi-Gbps? ... when peering is moving to 100Gbps links
[05:51:00] <sftcd> but this one is a middlebox with a secret super-secure execution environment, so that's ok then :-)
[05:51:33] <richard.barnes> Kaduk: In fairness, routers are kind of unavoidable middleboxes
[05:52:02] <synp> To be fair, DDoS is one kind of threat that really is better handled in the network
[05:53:43] <kadukoafs@gmail.com/barnowlEBF84E62> I am not super-concerned that the research projejct is an order or two
of magnitude slower than the needs of production.
[05:54:09] <sftcd> how did the dest AS flow info get to the source again?
[05:54:31] <richard.barnes> Given that we’ve been banging on mitigation for a long time now with not much progress, I would be a lot more interested in how we remove DDoS vectors from our applications
[05:55:45] <synp> If you're willing to generate a ServerHello in response to any ClientHello, you're vulnerable.
[05:56:36] <richard.barnes> As I understand it, TCP is almost never the problem.  According to some folks in the mitigation business I’ve talked to, almost all the attack traffic is reflected UDP DNS
[05:57:00] <richard.barnes> So it seems like we would do better service to the Internet by getting UDP DNS turned off
[05:57:17] <richard.barnes> (For example)
[05:57:28] <synp> And move all the HTTP traffic to UDP?
[05:58:54] <richard.barnes> Yoav: The stuff we’re talking about here is not really relevant to HTTP.  If it’s volumetric attacks we’re talking about, there’s not even a SYNACK
[05:59:42] whatdafuq leaves the room: Disconnected: closed
[06:00:20] <synp> In that case, does it really help if your machine doesn't have a socket listening on the UDP DNS port?  It still has to be processed by the IP stack.
[06:00:42] <richard.barnes> Yoav: Let’s talk later about how DNS amplification works :)
[06:01:13] <richard.barnes> https://blog.cloudflare.com/deep-inside-a-dns-amplification-ddos-attack/
[06:01:55] <synp> I know how it works. I didn't realize that you were suggesting we turn it off at the DNS server side.
[06:02:09] <richard.barnes> Sorry, yes, that’s what I meant.
[06:06:07] <Phillip Hallam-Baker> Oh, so you have global knowledge of all ISPs?
[06:08:00] <Ronald Tse> I think he means he makes money off DDoSes
[06:08:05] <kadukoafs@gmail.com/barnowlEBF84E62> People are making money other than by hiring out their botnet to
engage DDoS
[06:08:06] <Ronald Tse> ;-)
[06:08:30] <Daniel Wyatt> Ronald: ha!
[06:11:29] <synp> ***
[06:11:29] kathleen.moriarty leaves the room
[06:11:33] <synp> *** Sec-Dispatch
[06:11:35] <synp> ***
[06:12:18] <synp> *** Note: Sec-Dispatch will use this Jabber room.. There is no need to redirect your Jabber client.  Don't touch that dial
[06:12:39] <wseltzer@jabber.org> note-taking in https://etherpad.tools.ietf.org/p/notes-ietf-100-saag
[06:12:47] <synp> Reminder: I am your Jabber scribe. If you are remote and want something relayed to the room microphone, please prefix it with "mic:"
[06:14:30] <Phillip Hallam-Baker> Could someone sign the get well soon card on my behalf?
[06:15:36] <synp> PHB: I'll forge your signature
[06:18:41] kathleen.moriarty joins the room
[06:18:45] Brian Campbell leaves the room
[06:18:51] Yoshiro Yoneya_5429 leaves the room
[06:23:50] richard.barnes leaves the room
[06:24:34] Samuel Weiler_meetecho joins the room
[06:26:19] <synp> PBH: https://www.dropbox.com/s/yhof0eab78y0nzh/gws-phb.jpg
[06:26:30] <synp> s/PBH/PHB/
[06:27:06] Sean Turner leaves the room: Replaced by new connection
[06:28:06] richard.barnes joins the room
[06:30:22] Sean Turner joins the room
[06:30:22] Sean Turner leaves the room
[06:30:23] <Phillip Hallam-Baker> Thanks!
[06:30:34] richsalz@jabber.at joins the room
[06:30:47] <sftcd> which kind of choosing to use is involved here?
[06:31:37] <synp> It's the Chinese government that does the choosing for you
[06:32:27] <richsalz@jabber.at> It's a couple of years away from being required, but it's highly likely that chinese financial industry will be required to use SM2.  It would be nice/useful to have codepoints, no word on recommendation, that interoperate
[06:32:33] <sftcd> could be a new and nicely negative deffinition of permissionless innovation I guess
[06:32:35] Edward Lopez leaves the room
[06:32:40] Edward Lopez joins the room
[06:33:12] <kadukoafs@gmail.com/barnowlEBF84E62> Does the chinese financial industry use openpgp?
[06:34:21] richard.barnes leaves the room
[06:34:32] <richsalz@jabber.at> just like the US financial industry uses FTP to send around PGP files, I would expect they do use it.
[06:35:12] richard.barnes joins the room
[06:35:27] <richard.barnes> The answer here seems pretty clear.  Fix the registry.
[06:36:01] <Phillip Hallam-Baker> Mic: no, the algorithms curdle can add are fixed
[06:36:25] <synp> Yeah.  It's just that until now everyone wanted code points for TLS.  Wanting code points for OpenPGP is an innovation.
[06:36:53] <richard.barnes> Sure.  So let’s just do the same thing for OpenPGP that we did for TLS
[06:36:59] <sftcd> foot in the door kind of thing asking for PGP I wonder?
[06:37:21] <Phillip Hallam-Baker> CURDLE is limited by charter
[06:37:51] <synp> charters can be modified.
[06:38:04] whatdafuq joins the room
[06:38:45] <Phillip Hallam-Baker> DKG is right. Thjis is why I proposed a hack that would have allowed OIDS in OpenPGP
[06:39:09] <whatdafuq> yes, do for openpgp what we're doing for tls… add a "recommended" column and say "no".
[06:39:20] <Phillip Hallam-Baker> Basically, you asign one code point that says 'look at this other thing that gives you an OID'
[06:39:30] richard.barnes leaves the room
[06:39:31] <whatdafuq> or put in the reference "approved by the People's Liberation Army"
[06:40:18] richard.barnes joins the room
[06:40:21] Edward Lopez leaves the room
[06:40:23] Edward Lopez joins the room
[06:41:42] <richard.barnes> MORE MIDDLEBOXES!
[06:41:57] <kadukoafs@gmail.com/barnowlEBF84E62> Didn't we already hear about identity pinning at the TLS WG a few
meetings ago?
[06:42:09] Simon Pietro Romano joins the room
[06:42:13] <Ronald Tse> I agree with Phillip that registering OIDs is easier.
[06:43:00] <sftcd> regardless of process, I think supporting national algs in IETF protocols is an interop-damaging mistake in general and here
[06:43:31] <Ronald Tse> Rich / Kaduk Being an OpenPGP fan indeed I hope they use it in the financial industry. However, again it is illegal to do so with existing algorithms allowed in OpenPGP today.
[06:43:57] Simon Pietro Romano leaves the room
[06:43:58] <Phillip Hallam-Baker> TLS resume has a small ticket size or so I remember
[06:44:01] Simon Pietro Romano joins the room
[06:44:24] <kadukoafs@gmail.com/barnowlEBF84E62> The concern was the one-week lifetime cap of resuption tickets, IIRC,
and the identity pinning was desired to last longer
[06:45:37] Taiji Kimura joins the room
[06:46:10] <synp> Stephen: The alternative is for them to squat on some code points and have PGP encryption/signature that is not compatible with other future uses of the same code points.  I don't think we can bend the Russian and Chinese governments.
[06:46:22] <Ronald Tse> sftcd: I think the IETF should "allow" nationals in those jurisdictions to use their legal algorithms rather than forcing everyone to use the same (but disallowed) ones. As Sean mentioned, the selection of algorithms is an orthogonal one.
[06:47:11] <Ronald Tse> I agree with synp. Better to bring them into the IETF fold rather than the other way round
[06:47:37] <sftcd> I get the arguments but reach a different conclusion
[06:47:40] =JeffH joins the room
[06:48:07] <Ronald Tse> sftcd so you're suggesting that the usage of OpenPGP remain illegal within China?
[06:48:10] richard.barnes leaves the room
[06:48:26] <Ronald Tse> Over the choice that a minor change would allow that?
[06:48:35] <sftcd> I'm suggesting  the IETF work towards improving emaili security Internet-wide
[06:49:11] <whatdafuq> bad laws in China should not dictate what we do in the IETF
[06:49:28] <synp> Ronald: yes, but email (and other protocols) are international as evidenced by this Jabber conversation we're having right now or the TLS that protected your streaming video.  Using different algorithms in different countries doesn't scale because communication is not siloed like that.
[06:50:02] <whatdafuq> the fact that China _OUTLAWS_ other algorithms will make people very suspicious of using Chinese variants— i.e. they must have a backdoor.
[06:50:05] <Ronald Tse> Chinese CAs are already utilizing SM2 for certificate signing.
[06:50:17] <Ronald Tse> whatdafuq: the same argument applies to your stance.
[06:50:42] <whatdafuq> no, there are no laws in the country I live in the forbids using some weirdo algorithms.
[06:50:59] <whatdafuq> I can make up EC curves to my heart's content and use them if I want.
[06:51:25] <Ronald Tse> whatdafuq: I'm sure you're aware that governments demand usage of certain cryptographic algorithms, and this includes the US government.
[06:51:52] <Ronald Tse> I don't think your last sentence applies to this conversation.
[06:51:56] <whatdafuq> for product that they buy. Yes, the US government wants to buy US government approved crypto. But the US government does not forbid the use of other product in the US
[06:52:44] <whatdafuq> so analogously, the Chinese government can require SM2/3/4 for product they buy but that should not prevent you from using SHA256 and AES and p256 for your own purposes.
[06:53:07] <synp> whatdafuq: They don't really outlaw AES. They do the same as the Russians: they require their own algorithms wherever the law requires encryption, like financial information.  This is no different from having PCI industry standards for commerce in the US and HIPAA standards for medical.  You can't make up your own curve and use this for medical information.
[06:53:19] <Ronald Tse> Sure, but that forbids the usage of OpenPGP for any organization that is related to the national governments that require usage of their own cryptographic algorithms.
[06:54:00] <whatdafuq> can two (civilian) people in china use openpgp as it stands today to protect their communications between them?
[06:55:14] <whatdafuq> or is the use of openpgp today outlawed period?
[06:55:25] <Ronald Tse> synp: I agree that international communication should not be siloed. However, please do understand that people are already using different algorithms -- in South Korea the ARIA cipher is already used for all websites.
[06:55:32] <Ronald Tse> (in TLS certificates)
[06:56:46] <Phillip Hallam-Baker> As a meta point, folk who are proposing work clearly in the scope of another WG should probably be low priority for dispatch
[06:56:47] Samuel Weiler leaves the room
[06:57:03] m&m leaves the room
[06:57:42] Mark Andrews joins the room
[06:58:01] Samuel Weiler_meetecho leaves the room
[06:58:23] <Ronald Tse> whatdafuq: not legally. However, enforcement of software implementations is not oft-enforced today.
[06:58:35] <Ronald Tse> "not often enforced"
[06:58:36] richard.barnes joins the room
[06:59:04] <=JeffH> but are they watching the network and folks w/guns show up in your home at 0300h some night?
[06:59:24] richard.barnes leaves the room
[06:59:35] richard.barnes joins the room
[07:00:32] <Ronald Tse> It's hard t answer that. Is speeding illegal?
[07:00:39] <Ronald Tse> "to"
[07:01:45] Mingliang Pei leaves the room
[07:02:27] <sftcd> if these are added it'd seem like we'd be heading to something a little like the WAPI situation with WiFi which'd maybe be adding a bunch of rarely used code paths which tends be more buggy
[07:02:47] <sftcd> that's a general problem with national algs though not China specific
[07:03:07] <whatdafuq> exactly. In fact SM4 is what WAPI used. But WAPI used a 192-bit EC which apparently was not SM2.
[07:03:31] <=JeffH> personally, i think allocating code points for those algs is fine, tho should be noted somewhere that they are national algs
[07:03:37] <Ronald Tse> sftcd I agree with you but that's where the world is heading to with cryptographic diversity.
[07:03:58] Jonathan Lennox joins the room
[07:04:26] <whatdafuq> and oddly WAPI used SHA256 so I guess WAPI is not "illegal" in China :-)
[07:04:33] <whatdafuq> "now illegal"
[07:05:27] <sftcd> it would be a fine thing though if someone updated 4086 (talking about randomness now)
[07:05:46] Mark Andrews leaves the room
[07:05:47] <=JeffH> sign Nick up to do that?
[07:06:09] <sftcd> maybe we could ask cfrg nicely  to do it?
[07:06:56] <=JeffH> perhaps, but having identified willing (co-)editors ahead of time will grease the skids
[07:08:22] Morton Swimmer joins the room
[07:09:10] <richard.barnes> seems like this might be turning into the “punt to CFRG” WG :)
[07:09:16] <wseltzer@jabber.org> Can someone else join the minuting? https://etherpad.tools.ietf.org/p/notes-ietf-100-saag
[07:09:28] <Ronald Tse> whatdafuq: WAPI being a GB standard, indeed SHA-256 is allowed in that context.
[07:09:32] <kathleen.moriarty> experiment ;-)
[07:09:37] <synp> Of course CFRG can punt right back
[07:09:45] <sftcd> yeah I tend to agree with Richard that Nick's thing'd be fine AD sponsored (if they wanted:-)
[07:09:57] <kadukoafs@gmail.com/barnowlEBF84E62> It's not really clear to me that we really need an RFC to say "if you
can't mix a long-term private key into your RNG, encrypt/sign a fixed
value with it and use that (random) signature instead".
[07:09:57] <kathleen.moriarty> s/wg/experiment/
[07:10:49] <synp> But more likely, the CFRG chairs will send it to their crypto review board for an opinion. And then maybe punt it right back.
[07:11:49] <sftcd> yep, I predict a time wasting loop with CFRG for Nick's thing :-(
[07:14:15] sftcd reckons the secdispatch experiment might work better with list discussion of drafts ahead of the meeting, there'd be less mic comments and the chairs would have a better idea of what questions to ask
[07:14:29] richard.barnes leaves the room
[07:14:34] <kadukoafs@gmail.com/barnowlEBF84E62> probably
[07:14:36] <sftcd> not surprising the first time has issues
[07:15:06] richard.barnes joins the room
[07:15:59] richard.barnes leaves the room
[07:16:17] Geoff Huston joins the room
[07:16:51] <wseltzer@jabber.org> won't someone please think of the note-takers?
[07:17:05] <Melinda> Sorry, I'm still in emacs
[07:17:50] richard.barnes joins the room
[07:18:04] <Yoshiro Yoneya> +1 for TXT RR
[07:18:08] <richard.barnes> With DNSSEC, it’s worse than mt said, because you have to sign the thing *twice*
[07:20:06] John Border leaves the room
[07:22:37] Daniel Wyatt leaves the room
[07:22:45] <richard.barnes> I thought AKA had been broken?
[07:22:54] <richard.barnes> Maybe iv’e got that confused with some other 3gpp thing
[07:24:27] <synp> I think the symmetric crypto for GSM was broken. Don't think any of the authentication ones were.
[07:24:51] <richsalz@jabber.at> Wendy, you only have to list draft names and decisions.  Anything else is bonus.
[07:26:58] richard.barnes leaves the room
[07:27:58] richard.barnes joins the room
[07:28:36] richard.barnes leaves the room
[07:28:52] Jonathan Lennox leaves the room
[07:29:16] Francisco Arias leaves the room
[07:29:19] richsalz@jabber.at leaves the room: Stream reset by peer
[07:29:29] <synp> The list Kathleen was talking about is EMU (from the old EAP Method Update working group)
[07:29:46] <sftcd> this seems like a good topic, not sure if now is the right time but it sounds like a WG
[07:31:30] sftcd leaves the room
[07:31:31] whatdafuq leaves the room: Disconnected: closed
[07:31:32] <synp> *** And we're done.
[07:31:35] synp leaves the room
[07:31:49] Edward Lopez leaves the room
[07:32:31] Melinda leaves the room: Disconnected: closed
[07:32:52] Morton Swimmer leaves the room
[07:33:02] Geoff Huston leaves the room
[07:33:22] wseltzer@jabber.org leaves the room
[07:33:30] meetecho leaves the room
[07:33:39] Taiji Kimura leaves the room
[07:33:39] Phillip Hallam-Baker leaves the room
[07:33:39] Simon Pietro Romano leaves the room
[07:33:39] Lorenzo Miniero leaves the room
[07:33:39] Kaoru Maeda leaves the room
[07:33:39] Satoru Kanno leaves the room
[07:33:39] Ronald Tse leaves the room
[07:33:39] HAJIME WATANABE leaves the room
[07:33:52] francesca leaves the room: unknown reason
[07:35:22] metricamerica leaves the room
[07:37:48] Samuel Weiler joins the room
[07:37:52] Yoshiro Yoneya leaves the room
[07:37:57] Yoshiro Yoneya joins the room
[07:38:11] Yoshiro Yoneya leaves the room
[07:39:36] wseltzer joins the room
[07:41:10] =JeffH leaves the room
[07:41:52] wseltzer leaves the room
[07:45:52] kathleen.moriarty leaves the room
[07:49:55] Melinda joins the room
[07:50:52] Samuel Weiler leaves the room
[07:51:49] Jonathan Lennox joins the room
[07:52:07] richard.barnes joins the room
[07:52:34] richsalz@jabber.at joins the room
[07:52:39] Jonathan Lennox leaves the room
[07:52:42] richsalz@jabber.at leaves the room
[07:52:42] m&m joins the room
[07:52:55] francesca joins the room
[07:56:15] whatdafuq joins the room
[07:56:54] francesca leaves the room
[07:58:25] metricamerica joins the room
[07:59:09] metricamerica leaves the room
[08:01:23] kathleen.moriarty joins the room
[08:01:53] wseltzer joins the room
[08:03:37] richard.barnes leaves the room
[08:09:14] m&m leaves the room
[08:09:39] m&m joins the room
[08:12:10] m&m leaves the room
[08:14:22] wseltzer leaves the room
[08:20:23] wseltzer joins the room
[08:26:22] wseltzer leaves the room
[08:28:10] whatdafuq leaves the room: Disconnected: closed
[08:30:24] wseltzer joins the room
[08:37:56] wseltzer leaves the room
[08:58:48] Samuel Weiler joins the room
[08:59:06] wseltzer joins the room
[09:09:22] wseltzer leaves the room
[09:11:45] Samuel Weiler leaves the room
[09:26:47] Samuel Weiler joins the room
[09:29:04] Samuel Weiler leaves the room
[09:42:53] kathleen.moriarty leaves the room
[10:14:00] kathleen.moriarty joins the room
[10:14:32] Samuel Weiler joins the room
[10:22:48] wseltzer joins the room
[10:28:54] wseltzer leaves the room
[10:35:12] Samuel Weiler leaves the room
[11:02:03] Samuel Weiler joins the room
[11:02:33] Samuel Weiler leaves the room
[11:20:53] kathleen.moriarty joins the room
[11:34:54] kathleen.moriarty leaves the room
[13:51:10] kadukoafs@gmail.com/barnowlEBF84E62 leaves the room
[13:51:20] kadukoafs@gmail.com/barnowlEBF84E62 joins the room
[13:55:08] whatdafuq joins the room
[14:10:43] kadukoafs@gmail.com/barnowlEBF84E62 leaves the room
[14:12:19] whatdafuq leaves the room: Disconnected: Replaced by new connection
[14:12:19] whatdafuq joins the room
[14:40:36] whatdafuq leaves the room: Disconnected: closed
[14:54:21] Samuel Weiler joins the room
[14:59:31] whatdafuq joins the room
[15:02:51] whatdafuq leaves the room
[15:04:06] whatdafuq joins the room
[15:09:39] Samuel Weiler leaves the room
[15:16:48] whatdafuq leaves the room: Disconnected: Replaced by new connection
[15:16:48] whatdafuq joins the room
[15:50:39] whatdafuq leaves the room: Disconnected: closed
Powered by ejabberd - robust, scalable and extensible XMPP server Powered by Erlang Valid XHTML 1.0 Transitional Valid CSS!