---------------------------------------------------------------------- 14:16 Nov 5 2013 KARP Audio Begins appproximately 1:25:40 seconds into the recording available at http://www.ietf.org/audio/ietf88/ietf88-plazac-20131105-1300-pm3.mp3. Agenda - Adminstrivia - Welcome & Status - Core document long-lived symmetric cryptographic keys - Key Management Current WG drafts - Draft-ietf-karp-crypto-key-table-09 and draft-ietf-karp-ops-model-09 in the IESG Evaluation - Draft-ietf-karp-isis-analysis-01 and draft-ietf-karp-bfd-analysis-01 both ready for WGLC. Related Drafts - Lots of related drafts, some expired, some with no support, some new and requiring reviews. - draft-mahesh-karp-rsvp-te-analysis-00 should be ready for WG adoption call. ---------------------------------------------------------------------- Database of Long-Lived Symmetric Cryptographic Keys draft-ietf-karp-crypto-key-table-09 Sam Hartman The talk and slides describing updates intended to resove IESG comments. There were no concerns from the WG expressed at the end of the presentation. ---------------------------------------------------------------------- Karp Key Management Charter Review Key Management Charter Deliverables - draft-ietf-karp-crypto-key-table-09 fulfills the first one - There is no Automated Key Management WG drafts to fulfill the second deliverable. Manual Keys vs. AKM ... AKM Drafts discussed - Lots of different drafts and lots of discussion WG Calls of Adoption - draft-chunduri-karp-kmp-router-fingerprints-03 - No comments on the list - draft-mahesh-karp-rkmp-04 - One neutral comment on the list, no support given - call extended, no more comments on list Observations by Chairs/ADs - Apparently no interest - Speculations - Operators have solved the operation problems elsewhere - Operators still don't trust AKM WG Discussion ... [Wes George] I can offer third theory [the first two being the Speculations on the last slide], there are operators who are not on the list, and didn't know about the calls for adaption. There is problem with managing manual keys. Cross area, NANOG. [Ruediger Volk] Wes already give most of the points, only operators here. Have not spent any time tracking KARP. KARP is doing important things. Had hopes that key management would be addressed, that would solve the mess out there. Should do some PR actions. [Sean Turner] I want to get this work to go forward. [Russ Hously] History. So many people were doing back of the envelope key management, and we had to make sure they are still able to do it. And thats why we needed to architecture this so that automatic key management can be also added, and thats why we have the key tables. I would really hate to stop now, it has taken so long already. Finish it. If nobody is going to use it there is no point of wasting more time on it. [Uma Chunduri] TCP-AO allows changing the keys without affecting connections. That is already there now. Wanted to have charter addition to be able to change keys without affecting operations. [Wes] It is important, it does not need to be in the charter, just in implementations. [Jeff Haas] Biggest problem is that we are not getting operator's support. Suggest doing a roadshow to operators, so that they request the features, which gets it into the vendor product management process. This leaves the working group in an interesting place. Maybe some documents should be written, and then revised later when they're implemented. [Acee Lindem] There are already proprietary implementations doing key rollover for years. TCP-AO and key table, already does the key rollover. Could use I2RS interfaces to orchestrate graceful key rollover across a network without this. I am not sure we need this. [Sam Hartman] One of the authors. Didn't comment to fingerprint draft, as not sure whether it is correct way. Why do we need automated key management. In big operators netconf is enough, they are willing to script things, they can do pretty good things. We are designing this for the internet as whole. As a security person I ofter wonder if anybody is going to use this. Your life is getting way to hard if you think about that. You can just build protocols and see if someone uses them. Links between organizations. It is clear that you do not want to allow full netconf access there. Same for small operators. It is worth doing this work even if we are not sure if people are going to use it today. We cannot do this work unless we get enough people to actually review and do the actual work. Lots of people in this room do want this to go forward. What are people willing to do to contribute. [Dan Harkins] (Slide 7) I do not understand what "Operators still don't trust AKM" means. If we understand what they mean with that, perhaps that would help. [Joel Halpern] I went to NANOG several times in the early days of his work and they said yes, you can do as long as you do not break anything, or preferably do not even change anything. They are less interested in the AKM because key tables already solves some of their issues. [Ruediger] Missing one factor in asking an operator forum. KARP seems like an ivory tower. We are not seeing a delivery of implementations which is something we can show out. I'd like to see a real TCP-AO implementation, and a mock up for what AKM we might add to it and see a package that might actually work. We are seeing small pieces, but not full thing we could use, or even mock-ups. I have been asking vendors at what point in time is TCP-AO on your delivery list??? The answer is sometimes in a couple of years (if you continue to bang on our door)! [Jeff] I am here looking at the routing integration things here. Vendors are implementing TCP-AO. There are separate pieces here. When you did the NANOG roadshow the AKM wasn't really settled yet. We now have concrete proposals, here they can look like, here is how you can interact with them, and use them. Maybe talk about how Netconf interacts with it. That is the roadshow you need. Here is the concrete proposal. [Brian Weis] For the operators … is the powerpoint enough (for a roadshow), or running code? [Wes] Running code is better, or at least something that is close enough showing how it works in Powerpoint. And then if you want to bang on it, here's someone you can talk to. [Hartman] This working group is not very effective using the mailing list. [comment in background] Some people on the room are not on the list [Hartman] Is there silence, because the mailing list is usually silent, or because nobody really cares? It's a question worth exploring. [Wes] You have to convince people to use this even when it is very easy. Having this bit (management) more consistent across the platforms. [Joel] Are you on the mailing list? [Wes] No. I have admitted it. I should be on the list, and I should be participating a more. But you have to make people like NANOG know about it, even if they don't participate here. [Joel] It is much easier to get something happening in the NANOG, if the operator says this is ok, than if IETF WG chair says same. [Jeff] The challenge you have, how do we get the people who has security knowledge to review. I am on the mailing list and have provided feedback on the routing parts, but am unsuitable to comment on the security parts. [Sean] We are getting review from security people. They have checked it and have not flipped. [Uma] Netconf is potentially better than manual key management, but doesn't compare with AKM. [Joel] In spite of the comments that there is support in the room, we need to get the feedback in the list. If folks have suggestions to get more review please send those to the list, then we can look at them. [Hartman] Process question: Why you want to have it in the list, the room should be enough? [Joel] We have not gotten the feedback in the room either. Need some support somewhere. [Hartman] OK. [Joel] Unless we get some work done before London, we might need to remove the items on the charter and close the WG when current items are done. We don't want to take that route. Maybe it's better to wait a couple of years to see if there are implementations … that's not failure, we just want to be more effective. [Weis] How many would be willing to review these two draft if we put them up again? End of meeting