MSEC IETF-78 Minutes

Meeting Materials

https://datatracker.ietf.org/meeting/78/materials.html

http://www.ietf.org/proceedings/78/

Meeting audio track:

http://www.ietf.org/audio/ietf78/ietf78-ch1-fri-am.mp3 beginning at 25:41

Introduction - Chairs

Opening Slides

Raj Singh agreed to take minutes.

Brian - Briefed the agenda.

1. Sam's Comment - Group Counter mode cannot be implemented, because the key management section is not specific to an implementation

                   a. Make it Informational.

                   b. Reference GDOI Update

   David McGrew : Group Counter Mode describes sender behavior not receiver behavior. 

                  We can not tell a correct implementation  by an inter-op test. 


   Brain Weis:   His comment  was concerned with the group key management behavior described in the document.

   Tim Polk   :   If GDOI update is implementable, it should move quickly. We can mention normative update.

                   We can link it Group Counter mode document, if it help to move quickly.


Brian: Updated the status of related draft status.

   - draft-yeung-g-ikev2-01 - Have to check with author, will do after meeting. Will ask the WG on the list whether to make it a WG document.

   - draft-kamarthy-gdoi-mib-00 - Same

   - draft-weis-gdoi-mac-tek-01 - Waiting to see if needed for a KARP deliverable.


David: If GDOI is more usable, lets make GDOI-IKEv2 a standard protocol.

Brian:-    Good comment, we will try for it.

GDOI Update

draft-ietf-msec-gdoi-update-06

Slides

- Yoav Nir provided lot of comments.

- Added Hardjono as author.

- Brian asked attendees to review the document.

- Tim - Please ask who reviewed version -05 to review. 
- Brian explained the summary of changes.

- Yoav Nir - The usual thing is that we should not use key for more than 1 purpose, e.g. encryption

             and signing.

- Brian - For rekey, it makes sense to use a separate key.

- David - The signing key should not be used in more than 1 context.

           

- Brian - Do you suggest some text?

- David - We should add in that signing key should not be used in more than 1 context.

GDOI Port Usage:

Tero Kivinen: I see NAT-T stuff there. We can not use NAT-T with IPsec port 4500 for GDOI.

              It can cause issues.

Brain - If both IKE (500) and GDOI (848) migrate to 4500 It could be an issue for the receiver to demux to the right key management protocol.

Tero: For IKE traffic, you can use same port 848, for IPsec packets, you can use NAT-T. 

      Add more text, the current text is not sufficient.

Brian: We can remove the NAT-T text. Didn't intend to describe this as a full NAT-T issue.

Yoav: Can we assume that any algo which is not mentioned in the doc is a MAY ?

Brain: Yes. Can add text saying so.

David: SIG ALG RSA, it will be nice to use with SHA256?

Brain: MUST be more tightly coupled.

Tim: Pairing  both MUSTs looks good.

David: I think the same.


Symmetric Key Transport and Group Key Management

Slides


- Recap from last meeting.

- Key Wrap does not match GDOI data model.

- NIST has allowed the use of GDOI without Key Wrap. GDOI itself is considered to be a Key Wrap.

- I am in touch with NIST and will provide updated info as available.

- Going Forward: 

  a. Key Transport (Protocols)

  b. Key Wrap Algorithms

Tim Polk: We appreciated the review and discussions by MSEC regarding this issue. NIST is coming with more documents that will be forwarded to MSEC group, please review them.