Tue 10 Nov 2009 15:20:06 JST Chairs Joel Jaeggli, Joe Abley Note-taker Joe Abley 0. Agenda-Bashing No changes to the agenda 1. WG status - WG Chair Tue 10 Nov 2009 15:23:54 JST Joel Jaeggli: (per slides.) 2. Nanog ISP security BOF report - WG Chair Joel: wg activities and outreach. (per slides). Fernando Gont: Request from ron for optioned packets and port filtering? The IP security document covers some aspects about optioned packets, with some discussion of what would happen if you discarded based on presence of particular options. Joel: yes, ip security document covers some of the implications, but perhaps a little more could be done, especially in the case of internal applications for ip options that are exploitable from external sources. Fernando: separate document on optioned packets is warranted? Joel: no, not convinced of that. Ron Bonica: I think a separate document is warranted. I wanted something I could point at particularly in response to documents from people proposing new options. Fernando: I can volunteer for that one. it's related to the work that was being done with ip security draft. Ron: I will introduce you to the other two people who offered to work on it. Fernando: perfect. Joel: There are also opportunities to discuss this in the context of ipv6. Warren Kumari: (on another point of the NANOG outreach) fib management is not the only reason why people use defaults. it's also fairly commonly used to accommodate micro-convergence events. Joel: it may not help in the case of a micro-loop, but micro-loop into macro-loop means at least the packets are going somewhere. Warren: Also accidental defaults. Joel: Yes, default left over from installation, perhaps that one can be chalked up to incompetence. 3. Revised, draft-ietf-opsec-ip-security - Fernando Gont Tue 10 Nov 2009 15:48:11 JST Fernando: (per slides) Tue 10 Nov 2009 15:50:48 JST Joel: My understanding that we were aiming for this to be informational? Fernando: yes. Joel: Last call has a way of gelling peoples' ideas, plan to last- call the document soon after the next rev. Ron: I think informational is right. normally wglc then iesg then done. since the document is important, however, I think internet- wide last-call is sensible. any objection to that? Fernando: No objection to that. 4. Revised, draft-ietf-opsec-icmp-filtering - Fernando Gont Tue 10 Nov 2009 15:53:20 JST Fernando: (per slides) Ron: Informational is much easier than bcp. Benefit of bcp is that it comes with a club. if you publish a draft as bcp, a later draft that contradicts it will have trouble. in this case I can't imagine a draft that would seek to contradict this advice. recommend stay with informational. Joel: This document does not prescribe things, it aims to describe consequences. Fernando: What about how to address the problem of packets aimed at the device? Ron: I would not include that. there is other work going on in more general, not just icmp, that will cover that. Joel: Also there are corner cases, e.g. a packet aimed through with a ttl that expires, e.g. traceroute. what to do with packets that are aimed at a device is a more local policy issue. 5. Revised, draft-ietf-opsec-routing-protocols-crypto-issues Tue 10 Nov 2009 16:00:06 JST Joel: (per slides) "history", "changes" Joel: Intention to wglc the -02. 6. Others? Tue 10 Nov 2009 16:04:40 JST Meeting concludes.