Minutes of the OPSEC meeting
IETF 72, Dublin, Ireland
2008-07-30 1510 UTC+1

Note-taker: jabley
Jabber proxy: jabley (no jabber scribe)


The meeting opened at 1518 UTC+1.


1. Joel Jaeggli, OPSEC WG

Joel Jaeggli presented on the working group rechartering and document
status. There is fatigue on existing milestones, and abandonment
with recharter is a more pragmatic way forward than closing the
working group and chartering a new one.

The new charter has passed working group last call and has been
sent to the IESG.

Milestones on the new charter are a bit thin. We want to keep the
working group around to bring problems from the network operations
space into.

Ron Bonica: charter has changed -- no longer to do with requirements
  for vendors, now to do with BCP for operators. Old documents
  should be allowed to wither on the vine.

Joel Jaeggli: An alternative might be to fold this work into OPSAWG.

Dan Romascanu: conscious decision to keep opsec separate from opsawg
  in order to separate and maintain focus on the security aspects

There are two new potential work items from Warren Kumari on blackhole
communities.

Danny McPherson: comment on warren's blackhole draft; many isps use
  different communities for different kinds of blackholes, different
  places to drop packets, etc

draft-gont-opsec-icmp-filtering is a draft which has seen positive
discussion on the mailing list.

Mohacsi Janos: similar draft for v6 icmp fltering, around rfc 4890.
  I think the author should consider looking at this draft.

There was a strong hum for adopting draft-gont-opsec-icmp-filtering
as a working group document. There was no hum in dissent. The author
was encouraged to resubmit the draft as an opsec working group
document.


2. SAVI Overview, Christian Vogt

Christian Vogt provided an overview of the problem space and approach
for work starting in the SAVI working group. There was no discussion
from the floor.


3. draft-savola-rtgwg-backbone-attacks-03, Pekka Savola

Pekka Savola provided a brief history of this draft.

Merike Kaeo: totally support this work, and think it would be perfect
  as an informational document

Joel: no hat, read this document the first time around, a little
  while ago, think it is a really useful document, some freshening
  required, but appropriate under our new charter

Christian Vogt: if not in opsec, where else?

Pekka: if not in opsec, probably not in ietf

Christian: I support it to be published in this group

Ron: thumbs up

Joel: will need to seek consensus on list

Lucy Lynch: I have read it a while ago, read it again this this
  morning, some of this is a moving target; may require regular
  refreshment

Joel: I wouldn't imagine it being more than informational.  will
  require routine updates or an understanding that like fish security
  recommendations do start to smell bad after a while.

William Dixon: section 3.5 refers to ipsec and ike that is just
  really commentary, and I am not sure what to conclude from it.
  example of commentary. draft needs some work to provide concrete
  recommendations of work

Joel: also some things that require conclusions

Michael Behring: good work, stuff that people should read, find
  difficult that the purpose is a bit of threat, a bit of counter-
  measures. would be good to have a clearer idea of what the goal
  of the document is.

Joe Abley: seems to me there is room in the charter for informational
  travelogues on security as well as BCPs.

Merike: operational people are always told what to do but not why.
  I like Pekka's doc because it describes potential security issues
  along with tradeoffs for some solutions.  It will help operators
  pick appropriate solutions in their environments since none of
  them individually is a silver bullet to solve all problems.

Pekka: intent: if it's 15 pages or more, if it's too long. some
  attack or countermeasure requires mengthy description, probably
  referred somewhere else. so tried to be concise.

Michael: I really like that. I also see merike's point. the danger
  is that you take the countermeasures out and just leave the list,
  which means the list needs to be more concise.

Joel: should close it here so we can get the remaining presentations
  in. when we look for consensus on the list, document might benefit
  from additional authors. People who like the document should
  consider helping out with it.


4. draft-ietf-rpsec-bgp-session-sec-req-01, Michael Behring

Michael Behring gave an overview of the structure of this document,
which was previously a work item in the RPSEG working group.

Joel: seems likely that opsec people would have things to say about
  this

Ron: this does give value, think it's appropriate

Merike: think work is appropriate, but was involved in rpsec and
  don't think there are enough people in this group that understand
  enough bgp potentially to come up with requirements.

Joel: agree with merike on that; control plane security is one
  element of that but the protocol itself is the other piece and I
  think that's slightly less core here

Pekka: observation here is proposed charter, bcp problem statements,
  taxonomies, etc. requirements explicitly out of scope.

Sandy Murphy: I recall reading very long ago versions of your draft
  and versions of Pekka's draft, and saw in your outline some items
  that I thought might also be included in Pekka's. Infrastructure
  hiding, for example?

Michael: yeah, but really compeltely different scope.

Lucy: to follow up on what joel was saying, cross-area review and
  strong support that document should continue

Joe: advice to operators on how to secure routers would be a clearer
  fit for the charter

Joel: maybe an additional document

Michael: I will continue in the routing area, and maybe return here
  with a BCP.


5. Any Other Business

There was no other business.


6. Adjournment

The meeting was closed at 1620 UTC+1.