Minutes IETF99: ideas
IDentity Enabled Networks
||Minutes IETF99: ideas
# IDentity Enabled Networks (IDEAs) BoF
## IETF 99, Prague
* Date: 19 July 2017
* Time: 13:30-15:00 CEST
* Room: Congress Hall II
* Chairs: Tim Wicinski <email@example.com>
* Chairs: Brian Haberman <firstname.lastname@example.org>
* IESG Overlord: Alvaro Retana <email@example.com>
* IAB Shephard: Erik Nordmark <firstname.lastname@example.org>
Scribes: Toerless Eckert, Uma Chunduri, Amreesh Phokeer
Participants on Meetecho
Antonell Molinaro (grey)
Bjorn Hjelm (grey)
Jean-Michel Esnault (grey)
John Leslie (grey)
Simon Pietro Romano
Wolfgang Beck (grey)
* Agenda Bashing, Blue Sheets, etc, 10 min
* Why Are We Here?, Chairs, 10 min
Intro by Tim
"Why we are here" slides from Brian
Goal: is there a framework to provide ID-based services
Pillay-Esnault 15 min Problem statement by Padma - Motivation: look at
perspective of all network actors, ubiquitous mobility, etc
- user perspective: context aware features, access control and privacy
Slide2: Proposal: identity/identifier split
Slide3: Difference between identity and identifier, identity is an enabler and
immutable Slide4: Problems addressed Privacy Slide5: Protection against
Encryption of IP packet would conceal the ID header and hence that
would defeat identifier services that can be done on Identifier layer
in the packet.
Slide7: Lack of common infrastructure and primitives
- There is a wide diversity of devices and a variety of solutions
Identity services that takes care of the identity/identifier split
Mapping services for the identifier and location split
Change in the protocal is to interact with the other protocols
GRIDS-CP protocols to access GRIDS services and other WGs can extend theit CP
to utilize the services that would be defined by GRIDS
Slide9: Scope of work
Slide10: Out of scope
not trying to do mapping of domain names
Slide11: relationship with other WG
IDEAS would want to collaborate with them for more integration
Ravi Ravindran: how much security is exposed and most of the concerns are
in the higher layer also "who" would use this? Padma: doesnt need
to be service level application, but service aware applications Could be
used to prevent unwanted traffic? Uma Chunduri: several use cases listed in
use-case draft, eg: IoT use-cases.
ICN is about data and naming content not devices
TIM(WG-chair): please postpone discussion to next step.
Nat Sakimura (NRI/OpenID): Alignement with Access and Management community
group identifier and individual within group identifier
Padma: need to define what identifier in context of IETF means. Identifier
and locator are meant to show where you are. Bobs presentation will show
this besser. Sakimura: could help you to align with our community, you
Luigi on slide8: on the control plane, how to choose the parameters?
slide11: careful how to move forward, needs collaboration between WGs
Wolfgang riedel: end-to-end encrypted, ID is meaningless. Need to think about
different way to identify application. Maybe should widen scope to be closer to
Robin Wilton(Internet Society): Taxnomy & Layers we are talking here
(network layer, application layer or human layer??) Identity of individual is
not relevant in each of these individual layers. Padma: Lets' have Bobs
Chair (Tim) question: how many deployed LISP in their production network (a
dozen) Fabio Maino: HIP/ILA ? Padma: large deployment of ILA in facebook. HIP
answer from audience: folks with deployment are not here but exist. Tim(Chair):
working at salesforce, deploying LISP scares them, love BGP. Raher write bunch
of software with APIs, shp from 5 years ago Padma: Some IDEAs contributors not
present, eg: working in IoT.
* Identities and Identifiers for ION and the IETF, Moskowitz, 5 min
Slide1: what is IDentity and Identifier and why the distinction
Definition of Identity for IDEAS: we are talking about identity of machine and
NOT on people and identity is unique to an entity which is a machine. Concept
of identity can be shared and understood and expressed somehow (support for
multiple language of identity), that would make it scalable slide2: What is an
identifier for IDEAS? It's an IETF Endpoint that is not routable, it should
be transparent to the application and the location/ID mapping system.
Parviz Yegani: We have here before in IETF and talked about Identity. NAI has
user portion and realm. Scope of IDentity should be billable (like IMSI, which
is globally unique).
Whay IDEAs is close to IMSI or IMEI??
Bob: Billing as metadata. We want Identity to be access to IDentifier/Location
system. Wolfgang Beck: IP prefix irrelevant to application services. Bob:
welcoming discussion how to include:
: why not using public key as identifier?
Bob: Which format of public key and what algorithm (is this ID_KEY_ID??)
Michael: Its open SSH..
* Host Identity Protocols on Identity and MAPing, Moskowitz, 10 min
Slide1: HIP is based on a new flat namespace, a valid non-routable IPV6
address. HIT is derived from the Host identity and it is SIGMA compliant to
exchange Identity/Identifier between peers. slide2: Explain the HIP base
exchange, it is a very lightweight prototol for exchange of
identity/identifier. Either party can be an initiator. slide3: HIP Mobility is
a concept of a rendezvous service slide4: What happens when a peer moves or
both peers move at the same time slide5: HIP weaknesses: there is too much
crypto, change in IP stack behavior and HIT discovery
Slide 8: HIT discovery can be done much effectively through IDEAS (currently it
uses DNS RR)
Cabellos, 15min Slide2: Brief history: IP addresses have overloaded semantics
so the solution proposed was to split identity/identifier Slide 3: LISP
overview (Identifier, Locator and mapping of these 2 through Mapping system.
Slide 4: What are the common operation of ID/LOC protocols Slide 6: How
location tracking works in LISP. It is easy for an attacker to track the
location of the node, which raises privacy concern Slide 7: Propose policies
that will be enforced. Host can define access policies and attackers cannot
track if policies are enforced. Slide 8: IDEAS introduce the idea of privacy,
it supports fine-grained access policies
Slide 9: Concept of identity.
Identity helps to tie all the long-lived and ephemeral Identifiers.
Slide 10: There are gaps identified in the identifier/LOC protocols and IDEAS
introduces the notion of identity Slide 11/12: Slide 13: Gives a summary of
gaps identified and therefore IDEAS introduces the notion of identity, strong
requirements for privacy and a common infrastructure for identity/identifier
and identifier/location mapping
Parviz: Identity in fixed network is easier as scope is fixed. But in mobile
networks it is difficuilt. What is the scope. Bob: Mobility, multi path is done
Toerless: It would be good if chairs ask Problem statement and use case draft.
Ca. 40%...50% people read problem statement and gap analysis drafts.
Georgios: would like to see charter read.
Tim: way too dense, take out 75%. This work can be done on the list as well.
ADs seemed to be a lot more amenable to spin up WG with a much more lightweight
charter. Give yourself room to possibly go backward during work to change exact
details of deliverables. Jim Guichard: Questions asked indicate that use-case
drafts where not read by questioner. Raise of hands, ca. 50% people read
Brian Habermann: is the work to be done well enough defined/understood.
Fabio Maino/Cisco: Observation: One preentation seems to be on
meta-protocol, mapping identity to identifier (from alberts presentation).
Eg: if i have privacy concerns, use that protocol. Slide 8 with picture
(GRIDS): Are green arrows in charter ? Padma: KISP and HIP have a control
plane, ILA does not. Those arrows (eg: into ILA) still need to be
discussed. Not clear if that should be in scope. Fabio: other aspect is
data plane, need to decide about scope.
Dirk Kutsche: Today we have different services that all do identifier
mappping (eg: to locator). Benefit in defining generic service, add privacy
features, policy. In the internet stoday, we have a couple of ssystems,
SIP, etc. decentralized, DNS. How much do i trust each of these. Do you see
the risk that there could be some big universal system that can be abused.
Bob Moskovicz: Definitely one of the use cases we want to consider. Can we
start mapping those databases together or is to big ? Uma Chunduri:
<...missed..> uma pls. fix
Jari Arkko: Don't have comment about proposed work, other than
generalizing locator/identity split. Some presenters said identities is a
permanent thing. Would not like see situation where i have a situation
where identifier changes i need to have an exchange with infrastructure,
does violate privacy (did he say identifier or identifier in this context
?) BobM: yes, concerns, long time discussed. Brian Haberman: Identity has
its own lifecycle, did not give a value for how long this means. Bob: non
802.1ar cert for lifetime.
Brian: hum now if you think problem is well defined: 50% hum, hum now nfor not:
Dave Oran: Did people look at APIP and reject it because its not a
locator/identifier split proocol. - Sigcomm paper.
https://www.cs.cmu.edu/~dnaylor/APIP.pdf Padma: Can discuss... Dave: Thinks
paper nails problem statement, read paper.
Brian Haberman: YOur question was wheher design team has done literature
review. Dave: Yes. Its fine if scope is to make identity work for
identifier/locator split sollution, but there are problems for identity beyond
that scope and people should be aware of it and position re. those problems ?!
Brian: is there something to be done for IETF: 50%, 50% - Brian: thinks favor
for more work to be done. Cullin Jennings: A lot of us think the work is
undefined. YOu would have gotten a lot clearer distinction if you would have
asked if work as defined in charter is clear - thinks it is not.
Brian: WHo would actively participating: ca. 2..3 dozen hands raised.
Chairs will sit down with Alvaro to discuss how to go f
Oberman: Discussion whether this was more appropriate as a research working
group. Would like to hear reasoning why this should be a working group. BobM:
thinks he and Dino have slightly different ideas about what stds feature to be
defined should be done. First round discussion should be exactly what
infrastructure components to define/spec, aka: little undefined. Have not taken
all of that to the mailing list yet.
Tim: How would we resolve this if we where just a bunch of software hackers -
just write a bunch of code. Bob: have anser to that question.
Uma: Bits & Bytes tomorrow evening with prototype code for GRITS
Tim: Thanks, encourage to go. Was on slides, forgot to mention.
Georgios: Charter review ?
Brian: Not worth it, first need discuss with AD.
Meeting now officially over.
Tim: Lot of questions asked here might have been discussed and thought about
but that was not brought up to the list. Friendly suggestion to bring
discussion to the list.
Tim: Half of who read Use cases document
### Next Steps, 30 minutes
* Enough Interest in a WG?