BEHAVE minutes, IETF81, Quebec City, July 2011 Chairs: Dave Thaler, dthaler@microsoft.com, Dan Wing, dwing@cisco.com minutes by Stuart Cheshire and Paul Selkirk audio archive: http://www.ietf.org/audio/ietf81/ietf81-206b-20110727-1256-pm.mp3, 2:14:40 through 3:13:15 15:20 Carrier Grade NAT Requirements (Simon Perreault, 15) draft-ietf-behave-lsn-requirements Stuart Cheshire: ietf has one port forwarding protocol, which is PCP, so we should require it by name Dave Thaler: I agree. PCP doc is in final stages. Dave Harrington: if you make any text non-normative, then remove any capitalized MUST/SHOULD/MAY Dave Thaler: Why have any non-normative section at all? Answer: To show we considered that area, and decided it has no requirements. Relax hold-down requirements? no objection JF Tremblay: Should long-lived mappings be logged periodically to make it easier to discover them when searching the logs Dan Wing: This is not for this document. This would be for the logging requirements document, discussed later. Shin: law enforcement varies by locality, so hard to nail down requirements in one global doc 15:35 NAT64 Discovery Heuristic (Jouni Korhonen, 15) draft-ietf-behave-nat64-discovery-heuristic Dave Thaler: Security Considerations section needs discussion of whether DNSSEC is needed Andrew Sullivan: I'm troubled. Exit strategy seems weird and unnecessary. It also needs dnssec, and you need to validate. Ergo, this requires DNSSEC validation on the host. This makes this approach no longer cheap and easy. This is the wrong thing to do, but we're going to do it anyway. Dave Thaler: I don't think this needs DNSSEC validation on the host. Peter Koch: I have not followed the discussion on the list, but what scares me is the lack of operational considerations. Who hosts this name? How many queries per second are expected? Has there been any talk with potential operators? Dave Thaler: Vendors already do similar things in their software today, with a name hosted by the vendor in question, to tell if the device is in a "captive network" that requires the user to login via a web page to get working connectivity. Peter Koch: This is just declaring defeat. Andrew Sullivan: If vendors are going to do it, let's standardize it. Peter Koch: It's still a bad idea. Let vendors do it, and take responsbility for hosting the names themselves. 15:50 Next Steps, Dave Thaler Do we wrap up BEHAVE, or recharter and take on new work? Fred Baker: MIB allows reading. What about YANG for writing? (No one in the room spoke up in support of requiring YANG) Juergen: had a meeting to look at existing mibs, identified gaps Dave: is there energy to complete new MIBs within a year? Ting Zou: The authors want to move forward with the MIB documents Dan Wing: Suggest you organize an interim meeting for a month from now, and make some progress on it Dave Harrington: MIB work should be scoped to only cover MIBs related to work already completed in BEHAVE, not new stuff. Simon Perreault: The logging problem really needs to be solved. ISPs need this. Dan Wing: Would an ops group be better to do this? Simon Perreault: It's not purely logging: it may influence how the NAT has to behave to facilitate better logging Fred Baker: Legal issues have to be taken into account JF: do you want to separate the binary format from what gets logged? Dan: there are no written requirements for what gets logged Xing Li: I believe BEHAVE should work on stateless translation Dave Thaler: Why BEHAVE instead of elsewhere in IETF? Andrew Sullivan: If items were important, they would have been brought to the working group aleady. end.