Joint IETF 94 Operations and Management and OPSDIR agenda OPSAWG Address Pool Management - 10 minutes http://datatracker.ietf.org/doc/draft-sun-i2apm-address-pool-management-arc h/ http://datatracker.ietf.org/doc/draft-sun-i2apm-address-pool-management-yan g/ Scott – underlying concept of address mgmt may not be right for this WG, but YANG model may be. Cross post to INT? Fred Baker- conversation with Sunset4 chairs – may be in charter not for Yang, but for how to handle IPv6-only operation. Start with problem statement. Phillip Matthews – configuring address pools on devices – is it somehow different from other types of configuration, or could it be a subset of the more general effort to configure devices Joel Jaeggli – pool mgmt is a subset of overall address mgmt. We've repeatedly crossed the ground without actually solving problem. Probably work to be done here. Previous failure to solve indicates that it's not easy to solve. Management and modeling considerations mean some coordination is useful between element mgmt, address mgmt, pool mgmt, etc. Benoit – don't worry about where, but definitely work on it On Firewalls in Internet Security 20 minutes https://datatracker.ietf.org/doc/draft-gont-opsawg-firewalls-analysis/ Fleming Andraeson - assume for well-known ports, but modern firewalls do DPI and look for protocols on non-standard ports Fernando - sometimes port is assumed static but isn't Lee Howard - working on a review. Several functions in here that I don't think of as firewall functions but rather other security appliances - e.g. IDS, packet scrubbers. You defined FW as something that looks at packets L3/L4, some of this is L7, which can be a firewall, but that's not how you have it defined. Packet scrubbing isn't really "allow or block packets from being passed" Question: should this doc include broader elements of perimeter security, or just firewalls? Fernado - stick with FW to keep it tractable problem Scott - be careful calling FW perimeter security - confusing, perimeter of what? Org, or cloud, or rack? Fred Baker - maybe we have the title wrong? Perimeter Security Considerations Joel - middlebox taxonomy in IETF is a full-contact sport. Good accepted definition of what is/is not a firewall. IPS/IDS often have ACLs too, and operate at the same layers. Specify that you're working with a fairly expansive definition - FW functions, rather than FW device themselves. Al Morton - co-chair BMWG, tried to update FW benchmarking draft. Wanted to widen the scope, used term content-aware. Maybe consider that definition. Appreciate desire to keep this tractable. Check out drafts too (draft-hamilton...) Fleming - What is the goal of this draft? FW is one of several security functions. Fernando - more about how a system like this creates problems with the draft Warren - how many read? Plan to read? 15:59 OpsAWG ends OPS area Introduction Private Enterprise Numbers (PEN) update https://tools.ietf.org/html/draft-liang-iana-pen-06 YANG progress overview Andrew Veitch - Discuss what work is going on with versioning? Benoit - when we post, people want to quickly update. RFC updates very different than open source. Might have multiple versions over different devices and applications Opsarea WG, scope, new work. Bradner stepping down from OpsAWG after next meeting, looking for volunteers to replace him Open Mic: Dan Romescanu - why was firewall work directed to OpsAWG and not to opsec? Fernando - weren't sure where to go, even published to TSVWG to get ops, security, transport people, defaulted here as previous version was here Fred - warren's fault Dan - SACM doc defines Security Vuln reports. Use case - what operators do when they asses networks for sec. vulns. Very useful for the WG. Would like to send it to the operator community for review - where? Joel - more security focused folks in Opsec, but overlap between there and OpsAWG is pretty high Warren - cc OpsAWG Al Morton - Kathy M and I wrote a draft about effects of Ubiq. Encryption draft draft-mm-wg-effect-encrypt may be of interest to this group Joel - definitely concerns from specific communities. Satellite operators like to play with bits in the header, contents, do layer 7-10 things to the content. We're not entirely sympathetic, but they deserve to be heard. 14:20 Session END