Minute taker - KK Jabber Scribe - Joel Jaeggli Note Well Agenda bashing: The chairs have invited authors from outside opsec, these drafts will benefit from opsec feedback. * Mailing list is quiet * Two active WG items * EH filtering * IPv6 operational security * Individual documents * URPF I2RS Security Environment (Daniel Migault in lieu of Susan Hares) * Provides 37 requirements for those who implement and deploy I2RS * Brief refresher of I2RS * Trust+Tell - Access control active through-out plane * Automate security * Question (didn’t get name) How do you provision everything (EV) * That is part of management. This is all in the context of the i2rs agent * Security piece here is all about implementation, just like Netconf, Restconf. * Who thinks this was useful. Call via Hum. The WG finds it useful Operational Security Considerations for IPv6 Networks, Merike Kaeo * Chairs asked the audience for how many have read: about 7 out of 50 * Chair: last WGLC was delayed because of delayed updates... is it not OK? * Merike: we do believe that is ready for WGLC, it is current to the state of the things right now * Chair: nobody objecting to WGLC mid of next week? No objection Security of Messages Exchanged Between Servers and Relay Agents, Bernie Volz * This draft is from the DHC WG * Updates text in RFC7839 * IESG raised issues , hence took on the work for improving messaging between relay to server * Draft proposes - MUST use IPSEC for DHCPv4 and v6 (relay to relay, relay to server) * IKEv2 stuff * Passed WHC WGLC, sent to IESG * IETF Last call ended IPv6 DOTS Signal Option, Jérôme François * Signal DDOS attacks from a DOTS client (detection) to DOTS server (mitigation) * Joel Jaeggli * You have an assertion in your doc that routers process hop-by-hop header, probably need to remove that. * Warren Kumari * If I’m not careful, I might be signaling to everyone that I’m under attack * Jérôme - Yeah you’ll have to be careful on ingress/egress policy * We’re happy to get more feedback on this, we already got some 6man * Eric Vyncke - #4 is not feasbily (slide 5) * Jen Linkova * I like when people find apps using EH * Concerns: * You’re dropping traffic, then you’re adding EH, routers already prone to dropping traffic and this may make the situation worse * What do you do if you need to send ICMP back? * Jérôme - We didn’t think of it yet, thank you for the feedback. * Not sure what you want the router to do when they see HBH header Automatic Certificate Management Environment (ACME), Richard Barnes * We want all websites encrypted, but they need certificates, for ages the process to get a certification and provisioning was mostly manual process. ACME automates management of certificates * DNS based certificates * Extensible identifier space * Finished WGLC and talking during ACME meeting * Jeff (didn’t get last name) - Can we use it to automate DNSSEC deployments? * This is solving a slightly different problem. Not sure how it would apply to DNSSEC * Montgomery (didn’t get last name) - Security consideration section * IF I have an outsourced DNS, proof of ownership is empirical * There are some tools in the doc to make sure that is harder for the attacker * If someone attacks you at the registrar, then there is very little you can do * Eric Vyncke * are you serving OCSP? * Richard - OCSP is external to Acme