Minutes IETF101: intarea
minutes-101-intarea-00

IntArea WG Minutes
IETF 101 - London
15:50-17:20 Monday January 19, Afternoon Session II, Sandringham

Chairs:
Juan Carlos Zuniga (JCZ) (SIGFOX)
Wassim Haddad (WH) (Ericsson)
Minutes - Ian Farrer (IF)

1. Agenda Bashing, WG & Document Status Updates (Chairs)
   10 minutes

Suresh Krishnan (SK) Discussion oin IESG for logging with ports (CGN logging).
The recommendations on whether it is practical, inventory of what's in servers.
It'll be presented at the end. I'd apprecitate it if you would pay attention
and see if we should update the BCP.
=============

2. Discovering Provisioning Domain Names and Data, Eric Vyncke (EV)
   15 minutes
   draft-ietf-intarea-provisioning-domains-01

Volunteers to review the current version of the draft:
Tim Chown, Ted Lemon, Mikael Abrahamsson, Ian Farrer

No questions.

JCZ - We have asked the Security Area directorate to provide a review.
Hopefully, we'll get something back from them.
==============

3. IP Tunnels in the Interent Architecture, M. Townsley (MT)
   10 minutes
   draft-ietf-intarea-tunnels-08

Not presented.
==============

4. Generic UDP Encapsulation and Extensions, Tom Herbert (TH)
   10 minutes
   draft-ietf-intarea-gue-05
   draft-ietf-intarea-gue-extensions-03

Gorry Fairhurst (GF) - I'm curious about why you need 3 CRC formats?
TH - It's s 2-bit field so there's 3 combinations. THe argument is that CRC-32
is expensive, so CRC-16. I couldn't find consensus on what is preferred in the
IETF communiti GF - This is creating options for the sake of it. We used
CRC-32c in the SCTP community. Theres a doc that discusses the difference.
Computationally it's not that much more expensive. TH - They all have a length
field, so it's optional. I don't have a strong opinion.

David Black (DB) - if you want ot use more more than one format, let me give
you another option. I-SCSI CRC-32c are implmented in hsrdware and so are cheap.
I suggest two stages:
    1, get rid of CRC16
    2, require CRC-32c
If you stop at step 1, I won't complain

GF - Why not ask in TSVWG? The transport area can give you some feedback.
=============

5. Identifier-locator Addressing for IPv6, Tom Herbert (TH)
   10 minutes
   draft-herbert-intarea-ila-00

JCZ - People with comments and/or interest are encouraged to attend the BoF
meeting later this week.
==============

6. Privacy and Network Address Assignment, Tom Herbert (TH)
   5 minutes
   draft-herbert-ipv6-prefix-address-privacy-00

Tim Chown (TC) - 1, I think this is useful. Compared to privacy of hosts as it
stands, you might want public and private prefixes. TH - We would do a block
allocation for priviacy. TC - If something was allocated from an ISP, then a
rotating prefix and a stable prefix would be good. Rather than renumbering. TH
- I'mn not sure it's rotasting. They could be requested on demand. TC - This
shares lot of problems that we have with CGNs. Users use VPNs for privacy.
We're looking for more subltle privacy. I'd like stability for services. TH -
I'd imagine there was a lot of legacy TC - I think there's some more pragmatic
things that need to be considered.

Lorenzo Colitti -(LC) - I think stating these goals is misleading. You said
it's out of scope of what an ISP can do for provicay, but declaring it out of
scope doesn't make it so. The fact of the matter is the ISP has to maintain a
log of everything you did. If they just give you a prefix that rotates, they
don't have to keep all of that information. I don't think that's a full
solution. TH - What you do with NAT is the same. ISPs have to keep this
information. LC - I don't know that's true. TH - It's not clear to me why that
is. The NAT logs should be enough to for law enforcement. LC - The server may
not hold the source port information I think basically declaring it out of
scope is an error. Any solution that gives the ISP all of the information. You
dont' have to track every connection TH - You don't have to do that here either
LC - One proposal was a different address, so this would need to be logged. TH
- If I assign 1 address and it's used for one connection, the you have to track
that. NAT knows more than that (the port). LC - I'm talking about the goal. We
have to provide privacy. One solution under your scheme is that the ISP logs
every 5-tupler

Kyle Larose (KL) - If I give millions of IPs to every host, can the ISP run out
of addresss? TH - They're blocks of /128s.

Dave O'Reilly (DO) - The law enforcement perspective from people that I've
worked with is if there's any illegal activity, the focus of interest will be
on who was controlling the IP address at the time? ISP's are required, almost
everywhere, under regulation to identify subscribers - so the proposed privacy
measures will need to take this into account. The other point I wanted to make
is that connection logging is a terrible idea. The risk of the loss of that
data is huge. If it gets out you can see everything that I was broswing. The
volume of logging generated is also prohibitive. If there was some alternative,
then I would like to see it. TH - It's a good point. But, this solution is not
connection logging. It's address allocation tracking. I'm assuming law
enforcement had... (missed)

Nick Doty (ND) - If we have too many rotating identifiers at once we may lose
the privacy if they aren't rotated in a coordinated way. TH - The client has
control over this. Please look at the draft. Maybe the attackers haven't got to
this level yet, but it's going to be a problem. ND - I'll follow up.
===================

7. IP Fragmentation Considered Fragile, Ron Bonica
   15 minutes
   draft-bonica-intarea-frag-fragile-01

JCZ - How many people have read the draft?
(10 or so hands)

DB - I'm here to help! Please make sure that what you do here is aligned with
the intarea tunnels draft. There's fragmentation text in there so make sure
they match up.
===================

8. SOCKS v6, Vladimir Oltenau
   10 minutes
   draft-olteanu-intarea-socks-6-02

JCZ who has read any version of the draft
(c. 10 people)
I encourage people to read this version and provide comments.
==================

9. Availability of Information in Criminal
   Investigations Involving Large-Scale
   IP Address Sharing Technologies, David O'Reilly (remote) (DO)
   5 minutes
   draft-daveor-cgn-logging-02

Chritian Huitema (CH) - Clarification question. Are you asking for this log in
the network or in the ANT It's the servers that are logging. Most people
running a NAT have to provide logging in accordance with their national
regulations. For CGN, if there is no time or source port, the ISP can't query
the logs, even if they have them. Therefore there's an information gap in some
CGN scenarios. If your website got hacked and you don't have the source port
and time, you've go no chance.

Alain Durand (AD) -  I was one of the original 6302 authors, I take your point.
We could have an offline conversation about an updated version of the document.

DO - The scope could be exteded to provide guidance to implementors of server
software. There's cases where peolple writing in house software may use this as
well.

Michael Abrahamsson (MA) - I've done this and provided lists of 16 sddresses
for PBA. This is enough. DO - I believe in Belgium, 16 is mandated somehow.

SK - I want to gauge if there's Is there interst in updating RFC6302.

EV - In Belgium, it's a volutary thing
==================