Minutes IETF98: opsec
minutes-98-opsec-00

Minute taker - KK
Jabber Scribe -  Joel Jaeggli

Note Well

Agenda bashing:
The chairs have invited authors from outside opsec, these drafts will benefit
from opsec feedback.

* Mailing list is quiet
* Two active WG items
   * EH filtering
   * IPv6 operational security
* Individual documents
   * URPF

I2RS Security Environment (Daniel Migault in lieu of Susan Hares)
* Provides 37 requirements for those who implement and deploy I2RS
* Brief refresher of I2RS
* Trust+Tell - Access control active through-out plane
* Automate security
* Question (didn’t get name) How do you provision everything (EV)
   * That is part of management. This is all in the context of the i2rs agent
   * Security piece here is all about implementation, just like Netconf,
   Restconf.
* Who thinks this was useful. Call via Hum. The WG finds it useful

Operational Security Considerations for IPv6 Networks, Merike Kaeo
* Chairs asked the audience for how many have read: about 7 out of 50
* Chair: last WGLC was delayed because of delayed updates... is it not OK?
* Merike: we do believe that is ready for WGLC, it is current to the state of
the things right now * Chair: nobody objecting to WGLC mid of next week? No
objection

Security of Messages Exchanged Between Servers and Relay Agents, Bernie Volz
* This draft is from the DHC WG
* Updates text in RFC7839
* IESG raised issues , hence took on the work for improving messaging between
relay to server * Draft proposes - MUST use IPSEC for DHCPv4 and v6 (relay to
relay, relay to server) * IKEv2 stuff * Passed WHC WGLC, sent to IESG * IETF
Last call ended

IPv6 DOTS Signal Option, Jérôme François
* Signal DDOS attacks from a DOTS client (detection) to DOTS server (mitigation)
* Joel Jaeggli
   * You have an assertion in your doc that routers process hop-by-hop header,
   probably need to remove that.
* Warren Kumari
   * If I’m not careful, I might be signaling to everyone that I’m under attack
   * Jérôme - Yeah you’ll have to be careful on ingress/egress policy
   * We’re happy to get more feedback on this, we already got some 6man
* Eric Vyncke -  #4 is not feasbily (slide 5)
* Jen Linkova
   * I like when people find apps using EH
   * Concerns:
      * You’re dropping traffic, then you’re adding EH, routers already prone
      to dropping traffic and this may make the situation worse * What do you
      do if you need to send ICMP back?
         * Jérôme - We didn’t think of it yet, thank you for the feedback.
      * Not sure what you want the router to do when they see HBH header

Automatic Certificate Management Environment (ACME), Richard Barnes
* We want all websites encrypted, but they need certificates, for ages the
process to get a certification and provisioning was mostly manual process. ACME
automates management of certificates * DNS based certificates * Extensible
identifier space * Finished WGLC and talking during ACME meeting
   * Jeff (didn’t get last name) - Can we use it to automate DNSSEC deployments?
   * This is solving a slightly different problem. Not sure how it would apply
   to DNSSEC
* Montgomery (didn’t get last name) - Security consideration section
   * IF I have an outsourced DNS, proof of ownership is empirical
   * There are some tools in the doc to make sure that is harder for the
   attacker * If someone attacks you at the registrar, then there is very
   little you can do
* Eric Vyncke
   * are you serving OCSP?
   * Richard - OCSP is external to Acme