IETF 100 - OPSEC Agenda

    Monday, November 13th, 2017
    15:50-17:20 Afternoon Session II
    Room: Olivia
    Chairs: Eric Vyncke,  Gunther Van de Velde


    1. WG Status Update (Eric Vyncke)

    RFCs:
    	None

    WG Drafts:
    	draft-ietf-opsec-ipv6-eh-filtering
    		WGLC call in September	 in September
    		Needs more work
    	draft-ietf-opsec-v6
    		WGLC in April
    		Needs more work

    Individual Contributions:
    	Draft-sriram-opsec-urpf-improvements
    	Draft-gont-opsec-icmp-ingress filtering


    2. draft-ietf-opsec-ipv6-eh-filtering, Recommendations on the Filtering of IPv6 Packets Containing IPv6 Extension Headers. (F.Gont)

    Ron Bonica - We should be explicit about which transit router this document is addressing. One inside an ISP or one at the edge of an enterprise. Also, at the last NANOG, there was a large conversation about fragmentation headers. We want to see how that conversation lands before we publish this document.

    Bob Hinden - This also needs review or maybe a last call in 6man.  Also, I don't see much value in talking about current implementations. The document should talk about what we should do. It isn't ready to publish.

    Eric Kline - Given that we have these blacklists, how do we ever ship a new option. Does the document allow experimental headers to pass.

    Fernando Gont - We do whatever 7045 says. We permit experimental and unknown headers. We only blacklist a few, well known EH's

    Brian Carpenter - Scope the document even more narrowly than Ron suggests. Talk about specific classes of transit router. Also, don't use the word "Intermediate System" in the document. This is a term or art in IPv6. Use the term "transit router".

    Lee Howard - The document says that packets with unknown IPv6 EHs (i.e., not in the IANA registry) should be dropped. This means that Erik's objection is very real

    Fernando - disputes the point.

    3. draft-ietf-opsec-v6, Operational Security Considerations for IPv6 Networks. (Eric Vyncke)

    Merike - We still care about the document, but we don't have the time or energy to keep up with the comments. Do we want an issue tracker?

    Gunter - Ask the question on the list

    Eliot Leer - In the section on ULAs, you miss a use case. This is where the network has no connectivity to the Internet

    Brian Carpenter - This document also needs to be reviewed and last called in 6man and v6ops. There are also a few problems in the ULA section. There is a document in 6man on ULA

    Ron Bonica - And there is another document on ULA in v6ops.

    4. draft-ietf-opsawg-mud, Manufacturer Usage Description Specification. (Eliot Lear)

    Ron Bonica - I support the idea. One question: The draft assumes some minimal filtering capabilities on the part of the controlled device. What are those? What happens when the device can't filter to the required specificity?

    Eliot - We use a constrained version of the IETF ACL model.

    Fernando Gont - Why did you decide to pull the policy from the vendor, as opposed to the device.

    Eliot - Because the device may not have room to store the policy

    Fernando - what happens if the vendor turns evil or gets hacked

    Eliot - the device is more vulnerable than the vendor's web server

    Doug Montgomery - I think it's good work. How do you make this scale. What happens if I have a million light bulbs from a million vendors. Do I have a million ACLs? Maybe you could bind a MAC prefix to a device type

    Eric Kline - Good work? Who pulls the ACL for the devices? What happens if the device is hacked? Or if the device changes CERTs.

    5. draft-fairhurst-tsvwg-transport-encrypt-03, The Impact of Transport Header Encryption on Operation and Evolution of the Internet.  (Gorry Fairhurst )

    Nilini Elkins - This is great. We would like to look at the transport header, and even inside.

    ??Andreason?? - This is great work. Let's progress it.

    Chris Morrow - This is interesting. Lots of the problems you are talking about are tooling problems. Maybe the tooling needs to change? This is a better solution that not encrypting.

    Warren Kumari - Good work. Please take a look at a similar draft called "The Effects of Pervasive Encryption on Operators". It has had one very entertaining last call and will have another LC.

    Igor Gashinski - I am confused about the purpose of this draft. We are encrypting more so we can't see as much. Wasn't that the intent?

    Gory - I want to understand what would be  lost if we encrypted everything and then make a conscious decision about what to encrypt

    6. draft-kuehlewind-taps-crypto-sep, Separating Crypto Negotiation and Communication.  (Chris Wood)

    - No questions

    7. draft-baba-iot-problems, Problems in and among industries for the prompt realization of IoT and safety considerations.(Hiroyuki BABA and Yoshiki ISHIDA)

    - No questions

    8. draft-sriram-opsec-urpf-improvements, Enhanced Feasible-Path Unicast Reverse Path Filtering. (Kotikalapudi Sriram )

    - No questions