Meeting Materials
https://datatracker.ietf.org/meeting/78/materials.html
http://www.ietf.org/proceedings/78/
Meeting audio track:
http://www.ietf.org/audio/ietf78/ietf78-ch1-fri-am.mp3 beginning at 25:41
Raj Singh agreed to take minutes.
Brian - Briefed the agenda.
1. Sam's Comment - Group Counter mode cannot be implemented, because the key management section is not specific to an implementation
a. Make it Informational.
b. Reference GDOI Update
David McGrew : Group Counter Mode describes sender behavior not receiver behavior.
We can not tell a correct implementation by an inter-op test.
Brain Weis: His comment was concerned with the group key management behavior described in the document.
Tim Polk : If GDOI update is implementable, it should move quickly. We can mention normative update.
We can link it Group Counter mode document, if it help to move quickly.
Brian: Updated the status of related draft status.
- draft-yeung-g-ikev2-01 - Have to check with author, will do after meeting. Will ask the WG on the list whether to make it a WG document.
- draft-kamarthy-gdoi-mib-00 - Same
- draft-weis-gdoi-mac-tek-01 - Waiting to see if needed for a KARP deliverable.
David: If GDOI is more usable, lets make GDOI-IKEv2 a standard protocol.
Brian:- Good comment, we will try for it.
draft-ietf-msec-gdoi-update-06
- Yoav Nir provided lot of comments.
- Added Hardjono as author.
- Brian asked attendees to review the document.
- Tim - Please ask who reviewed version -05 to
review.
- Brian explained the summary of changes.
- Yoav Nir - The usual thing is that we should not use key for more than 1 purpose, e.g. encryption
and signing.
- Brian - For rekey, it makes sense to use a separate key.
- David - The signing key should not be used in more than 1 context.
- Brian - Do you suggest some text?
- David - We should add in that signing key should not be used in more than 1 context.
GDOI Port Usage:
Tero Kivinen: I see NAT-T stuff there. We can not use NAT-T with IPsec port 4500 for GDOI.
It can cause issues.
Brain - If both IKE (500) and GDOI (848) migrate to 4500 It could be an issue for the receiver to demux to the right key management protocol.
Tero: For IKE traffic, you can use same port 848, for IPsec packets, you can use NAT-T.
Add more text, the current text is not sufficient.
Brian: We can remove the NAT-T text. Didn't intend to describe this as a full NAT-T issue.
Yoav: Can we assume that any algo which is not mentioned in the doc is a MAY ?
Brain: Yes. Can add text saying so.
David: SIG ALG RSA, it will be nice to use with SHA256?
Brain: MUST be more tightly coupled.
Tim: Pairing both MUSTs looks good.
David: I think the same.
- Recap from last meeting.
- Key Wrap does not match GDOI data model.
- NIST has allowed the use of GDOI without Key Wrap. GDOI itself is considered to be a Key Wrap.
- I am in touch with NIST and will provide updated info as available.
- Going Forward:
a. Key Transport (Protocols)
b. Key Wrap Algorithms
Tim Polk: We appreciated the review and discussions by MSEC regarding this issue. NIST is coming with more documents that will be forwarded to MSEC group, please review them.