IPsecME WG IETF 83, Paris Monday, March 26, 2012 Minutes taken by Paul Hoffman Text from the slides is not reproduced here See https://datatracker.ietf.org/meeting/83/materials.html#wg-ipsecme Agenda was bashed, no additional issues WG status Last IETF was just an informal meeting One current doc: P2P VPN use cases and requirements doc We know that protocols are already out there, but that doesn't matter now P2P VPN problem statement doc Steve Hanna draft-ietf-ipsecme-p2p-vpn-problem-00 Need a new name for the protocol Current draft is use cases only, will get to requirements soon # 210 What Should We Call This Effort? Postponed until after we have all the requirements # 211 We should talk more about why this is a hard problem Add some new text about why this is difficult Will know more when we do the requirements # 212 Section 2.2 should be more detailed Give examples of why gateway-to-gateway might be useful Two branch offices, videoconferencing Paul Hoffman: this is why we postponed 210 People were thinking that the topic was only individual-to-individual Naming issue started restricting what we were talking about # 213 In use case 2.1, direct endpoint-to-endpoint connectivity may not be possible Need to mention challenges in use cases section Paul: reminded that there will be a separate requirement section # 214 Should gateways figure things out completely or just punt endpoints to a closer gateway? Core gateway configuring is a solution, so premature Also in #213 # 215 Should traffic flow through the gateway while a shortcut is being established? Should be a requirement Michael Richardson: must be a requirement We don't have all the tunnels pre-configured, so we need to deal with flowing traffic You can't pre-configure because of capacity issues on the gateway Steve: does this need to be a use case because it is so fundamental? David Black: VoIP isn't the only traffic on the Internet Is OK with dropping a packet sometimes Tero Kivinen: This will be needed after you notice that you need it, when packets are flowing Steve: Mention in use cases that packet loss is highly undesirable, but add it more in the requirements Brian Weis: Nervous about talking too much about voice (?): Not saying that no packets should be lost, but (?) Michael: Voice packets also being late is bad Might have a policy to only use this for media, not for regular data # 216 Multiple interfaces or mobile endpoint Solution-specific or requirement Tero: Is there a use case where the end point moves from outside the gateway to inside Paul: Mobility is a use case, but not just for multiple interfaces Steve: Either a new use case, or within the existing ones # 217 Temporary Credentials Requirement: it's a "how", not a use case David: Authorization is out of scope # 218 Exhaustive configuration Explain that this doesn't scale in 3.1. Tero: It is also proprietary and can't be interoperable Brian: We can push out configs if needed Paul: Remember the massive failure of the IPS WG Also issue with NATs if the endpoint hasn't talked first # 219 Star topology as an admin choice People don't need to use this if they don't want to Say this in the security considerations Yoav Nir: Has to be a requirement that any solution can implement different policies Yaron Sheffer: Agrees with Yoav, maybe becomes a use case Take this to the list # 220 Dangling Paragraph Deleted paragraph # 221 IPsec Architecture and Proprietary Approaches Add text, proprietary approaches don't always implement all of the IPsec architecture Paul: wants a name that is properly descriptive, maybe also creative Next steps Steve will issue new I-D with new name Spend April writing requirements Then ask people to propose solutions Yaron: Requirements go in this draft in a different section Paul: Wants to see "the right amount" of interaction on this document We have no idea if existing solutions will meet requirements because the requirements section is blank May have some proposed solutions befor Vancouver More raw public keys Tero draft-kivinen-ipsecme-oob-pubkey-00.txt Similar to what is happening TLS WG If we adopt this, what do we do with the old format? Michael: Should say, don't be silent Yaron: Needs to be Standards Track Paul: We need to discuss this on the mailing list even if it is not a WG document Brian: The document doesn't describe the encoding of the keys Paul: It comes from PKIX SubjectPublicKeyInfo definition ERP for IKEv2 Yoav draft-nir-ipsecme-erx Minor change to protocol so that you don't have to renegotiate when you move around Doesn't deal with multiple AAA domains Will be on the list IANA Issue in IKEv1 ipsec-registry Tero Everything is a mess Will ask on the list, silence means that he can go ahead Use of config payload for 3GPP and Femtocell Tricci So draft-so-ipsecme-ikev2-cpext-01 Femto is on many technologies, not just 3GPP Fixed wireline operator needs to apply a policy to the Femto device Need to know the location of the Fembto AP, based on IP address Reuses Config payload to let SG pass back the address Tero: This is the completely wrong way to do this It's not config information, and it can't be trusted Maybe use an SNMP MIB instead Violeta Cakulev: Also thought this is the wrong thing to do Paul: Not clear the process is, but it should be discussed more on the mailing list