Skip to main content

Minutes IETF100: opsec
minutes-100-opsec-00

Meeting Minutes Operational Security Capabilities for IP Network Infrastructure (opsec) WG
Date and time 2017-11-13 07:50
Title Minutes IETF100: opsec
State Active
Other versions plain text
Last updated 2017-12-11

minutes-100-opsec-00
IETF 100 - OPSEC Agenda

    Monday, November 13th, 2017
    15:50-17:20 Afternoon Session II
    Room: Olivia
    Chairs: Eric Vyncke,  Gunther Van de Velde

    1. WG Status Update (Eric Vyncke)

    RFCs:
        None

    WG Drafts:
        draft-ietf-opsec-ipv6-eh-filtering
                WGLC call in September   in September
                Needs more work
        draft-ietf-opsec-v6
                WGLC in April
                Needs more work

    Individual Contributions:
        Draft-sriram-opsec-urpf-improvements
        Draft-gont-opsec-icmp-ingress filtering

    2. draft-ietf-opsec-ipv6-eh-filtering, Recommendations on the Filtering of
    IPv6 Packets Containing IPv6 Extension Headers. (F.Gont)

    Ron Bonica - We should be explicit about which transit router this document
    is addressing. One inside an ISP or one at the edge of an enterprise. Also,
    at the last NANOG, there was a large conversation about fragmentation
    headers. We want to see how that conversation lands before we publish this
    document.

    Bob Hinden - This also needs review or maybe a last call in 6man.  Also, I
    don't see much value in talking about current implementations. The document
    should talk about what we should do. It isn't ready to publish.

    Eric Kline - Given that we have these blacklists, how do we ever ship a new
    option. Does the document allow experimental headers to pass.

    Fernando Gont - We do whatever 7045 says. We permit experimental and
    unknown headers. We only blacklist a few, well known EH's

    Brian Carpenter - Scope the document even more narrowly than Ron suggests.
    Talk about specific classes of transit router. Also, don't use the word
    "Intermediate System" in the document. This is a term or art in IPv6. Use
    the term "transit router".

    Lee Howard - The document says that packets with unknown IPv6 EHs (i.e.,
    not in the IANA registry) should be dropped. This means that Erik's
    objection is very real

    Fernando - disputes the point.

    3. draft-ietf-opsec-v6, Operational Security Considerations for IPv6
    Networks. (Eric Vyncke)

    Merike - We still care about the document, but we don't have the time or
    energy to keep up with the comments. Do we want an issue tracker?

    Gunter - Ask the question on the list

    Eliot Leer - In the section on ULAs, you miss a use case. This is where the
    network has no connectivity to the Internet

    Brian Carpenter - This document also needs to be reviewed and last called
    in 6man and v6ops. There are also a few problems in the ULA section. There
    is a document in 6man on ULA

    Ron Bonica - And there is another document on ULA in v6ops.

    4. draft-ietf-opsawg-mud, Manufacturer Usage Description Specification.
    (Eliot Lear)

    Ron Bonica - I support the idea. One question: The draft assumes some
    minimal filtering capabilities on the part of the controlled device. What
    are those? What happens when the device can't filter to the required
    specificity?

    Eliot - We use a constrained version of the IETF ACL model.

    Fernando Gont - Why did you decide to pull the policy from the vendor, as
    opposed to the device.

    Eliot - Because the device may not have room to store the policy

    Fernando - what happens if the vendor turns evil or gets hacked

    Eliot - the device is more vulnerable than the vendor's web server

    Doug Montgomery - I think it's good work. How do you make this scale. What
    happens if I have a million light bulbs from a million vendors. Do I have a
    million ACLs? Maybe you could bind a MAC prefix to a device type

    Eric Kline - Good work? Who pulls the ACL for the devices? What happens if
    the device is hacked? Or if the device changes CERTs.

    5. draft-fairhurst-tsvwg-transport-encrypt-03, The Impact of Transport
    Header Encryption on Operation and Evolution of the Internet.  (Gorry
    Fairhurst )

    Nilini Elkins - This is great. We would like to look at the transport
    header, and even inside.

    ??Andreason?? - This is great work. Let's progress it.

    Chris Morrow - This is interesting. Lots of the problems you are talking
    about are tooling problems. Maybe the tooling needs to change? This is a
    better solution that not encrypting.

    Warren Kumari - Good work. Please take a look at a similar draft called
    "The Effects of Pervasive Encryption on Operators". It has had one very
    entertaining last call and will have another LC.

    Igor Gashinski - I am confused about the purpose of this draft. We are
    encrypting more so we can't see as much. Wasn't that the intent?

    Gory - I want to understand what would be  lost if we encrypted everything
    and then make a conscious decision about what to encrypt

    6. draft-kuehlewind-taps-crypto-sep, Separating Crypto Negotiation and
    Communication.  (Chris Wood)

    - No questions

    7. draft-baba-iot-problems, Problems in and among industries for the prompt
    realization of IoT and safety considerations.(Hiroyuki BABA and Yoshiki
    ISHIDA)

    - No questions

    8. draft-sriram-opsec-urpf-improvements, Enhanced Feasible-Path Unicast
    Reverse Path Filtering. (Kotikalapudi Sriram )

    - No questions