Skip to main content

Narrative Minutes interim-2024-iesg-14: Thu 14:00
narrative-minutes-interim-2024-iesg-14-202406201400-00

Meeting Narrative Minutes Internet Engineering Steering Group (iesg) IETF
Date and time 2024-06-20 14:00
Title Narrative Minutes interim-2024-iesg-14: Thu 14:00
State Active
Other versions plain text
Last updated 2024-07-11

narrative-minutes-interim-2024-iesg-14-202406201400-00
INTERNET ENGINEERING STEERING GROUP (IESG)
Narrative minutes for the 2024-06-20 IESG Teleconference

These are not an official record of the meeting.
Narrative Scribe: Jenny Bui, Secretariat

1. Administrivia
1.1 Roll call

ATTENDEES
---------------------------------
Amanda Baber (ICANN) / IANA Liaison
Jenny Bui (AMS) / IETF Secretariat
Deb Cooley / Security Area
Jay Daley / IETF Executive Director
Liz Flynn (AMS) / IETF Secretariat
Sandy Ginoza (AMS) / RFC Editor Liaison
Jim Guichard (Futurewei Technologies) / Routing Area
Mahesh Jethanandani (Arrcus) / Operations and Management Area
Erik Kline (Aalyria Technologies) / Internet Area
Murray Kucherawy (Meta) / Applications and Real-Time Area
Warren Kumari (Google) / Operations and Management Area
Cindy Morgan (AMS) / IETF Secretariat
Francesca Palombini (Ericsson) / Web and Internet Transport Area
Tommy Pauly (Apple) / IAB Chair
Colin Perkins (University of Glasgow) / IRTF Chair
John Scudder (Juniper) / Routing Area
Orie Steele (Transmute) / Applications and Real-Time Area
Éric Vyncke (Cisco) / Internet Area
Paul Wouters (Aiven) /  Security Area

REGRETS
---------------------------------
Roman Danyliw (CERT/SEI) / IETF Chair, General Area
Gunter Van de Velde (Nokia) / Routing Area
Zaheduzzaman (Zahed) Sarker (Nokia) / Web and Internet Transport Area
David Schinazi (Google) / IAB Liaison
Sabrina Tanamal (ICANN) / IANA Liaison

OBSERVERS
---------------------------------
Behcet Sarikaya
Ben Schwartz
Greg Wood

1.2 Bash the agenda

Liz: Mahesh suggested we do the agenda first because he can only stay on for
the first hour, but I know we have some documents to get through and the agenda
can take up a lot of time. What do you guys think? Any objections to doing the
agenda first or should we try to get through some documents  first?

Eric: I see one author, Ben, for the ADD document so if maybe we can put it at
the beginning. Just a small request.

Liz: We can do the ADD document then move to the agenda deconfliction. Anyone
else have any other suggestions? Issues?

1.3 Approval of the minutes of past telechats

Liz: Since this is our second telechat in a row, we haven't had enough time for
the minutes from last time to be approved so we wil do those at the next formal
telechat which is the last one before IETF 120.

1.4 List of remaining action items from last telechat

   * DESIGNATED EXPERTS NEEDED

     o Paul Wouters to find designated experts for RFC 9577 (The Privacy
       Pass HTTP Authentication Scheme) [IANA #1366921].

Liz: This came in within the last day or two so Paul, you got a new action item
here.

Paul: That one is actually in progress.

   * OPEN ACTION ITEMS

     o Roman Danyliw and Warren Kumari to 1) draft a revision of RFC 4858,
       2) draft a revised IESG Statement on Document Shepherds (original
       statement October 2010), and 3) update the WG Chairs wiki to point
       to the new IESG Statement.

Liz: I think you two are going to find time to talk about next week?

Warren: Yeah.

Liz: We'll leave that in progress.

     o Paul Wouters to open up an issue with the Tools Team asking for
       IANA to be notified about document state changes.

Paul: This is done.

     o Paul Wouters to write a proposal for handling IANA review
       mailing lists.

Paul: That will be done before the ISC meeting, it will be done in a few days.

     o All IESG to review Non-WG List Review spreadsheet and note
       which lists may be ready for closure and any needed AD Actions.

Liz: Anyone have any updates they want to share on this?

Paul: I think I still need to convey that the PERPASS list can close, I did not
hear any feedback there, but I still have to go through some of my own entries.

Liz: Just send us a note @support, letting us know which ones are ready to be
closed when that's ready.

Francesca: When you are done, you can put your name in the list of people who
are done with it.

2. Protocol actions
2.1 WG submissions
2.1.1 New items

 o draft-ietf-dtn-ipn-update-11  - IETF stream
   Update to the ipn URI scheme (Proposed Standard)
   Token: Erik Kline

Liz: We have a couple of discusses, do we want to discuss it now?

Erik: I think we can discuss some of them. I know Roman's not here.

Eric: I think Mahesh left as well.

Erik: Maybe we can talk about the process since Colin is on.

Francesca: I think I can take on Mahesh's point to start with. He mentioned
Russ GEN ART review and Russ was basically saying that this IRTF informational
document being updated by this document which is in the standards track. Well,
there are two things about this; first is it's a standards track updating
informational which a lot of ADs have already said they don't have a problem
with it, the other part is that this is an IRTF document, or this is an IETF
updating IRTF document. I did see this stream protocol link that you just
posted, Colin. I thought it was useful, but when I read that it sounded like
this is more for when an IETF document wants to obsolete or we want to make an
IRTF document historic or something like that.

Colin: This is just an update to it, right?

Francesca: This is just an update, and because we don't really define what
update means, we always have different opinions.

Warren: As long as the stream manager is OK with it.

Colin: If you send something to the IRTF then we can ask the IRSG to have a
look at it and since there isn't any work in the space, I think it will be fine.

Warren: In the next couple of months there's going to be a document from DNSOP
which updates an independent stream document and we spoke to the ISE and we
were like 'hey are you cool with this?' and he was like 'yeah, perfectly fine.'

Francesca: Warren, make sure that gets into the shepherd write up so that the
IESG is aware you have done that.

Warren: It's already in there.

Erik: Zahed, did some initial communication but I wasn't aware of this and I
wasn't tracking this so I can follow-up on sending something to the IRTF.

Colin: If you get it to Jenny to put it on the IRSG agenda for next time, we'll
talk about it and approve it.

Erik: How do I do that?

Colin: Send an email to myself and Jenny.

Liz: Jenny is also on the call.

Jenny: I can add this to the agenda.

Erik: So if we do this, and the IRTF folks come back with a general approval,
do we think that addresses people's discuss points?

Francesca: I think it addresses mine, I think it addresses Mahesh's as well but
i'm not speaking for him. The other thing, I didn't understand why even there
was an update of that document and I saw that other ADs had the same question
as me. I don't understand why there is that link there, and if you don't need
that link, you might not need to do this whole thing.

Erik: Because 7116, defines an IANA registry for these CBHE numbers, and what
this document is doing is relaying out this registry which is rearchitecting
that registry by introducing this applicator.

Francesca: Is it just changing the name or doing additional things? Because the
name change, I have seen it but I wasn't sure you needed that link there for
that.

Erik: It's actually taking a 64 bit number space and splitting it into 232 bit
number spaces. Unfortunately, I think neither of the authors are on the call.
It's a bit more invasive surgery than cosmetic.

Eric: I agree it's an updating the document but it is completely unclear in the
comments. When you're reading this draft, you don't know what has been updated.

Erik: There's supposed to be a clear update section or at least in the abstract
or intro. That should be clarified.

Warren: Actually, as a quick note i've been pushing my authors and working
groups really hard to make sure that their abstract has a thing like 'this
updates, RFC number by changing the definition of something,' because I find
that they've been missing that and the purpose of the abstract is for people to
know if they need to read the rest of the document.

Liz: This sounds like it will be staying in IESG Evaluation for now, revised ID
needed or AD followup?

Erik: Why not both? Revised ID needed, and AD follow-up i'll send email to the
IRTF.

 o draft-ietf-add-split-horizon-authority-14  - IETF stream
   Establishing Local DNS Authority in Validated Split-Horizon
   Environments (Proposed Standard)
   Token: Éric Vyncke

Liz: Eric, do you want to discuss these discusses?

Eric: I think we need to discuss this one, for sure. Thank you to Ben for
joining the call to talk about this document. So i've seen that this morning,
my time, Tiru, who lives in India has submitted a new revised ID addressing
John's points and by the way, John, I should've spotted this one. Basically,
the revised ID goes in your direction, it must, if you don't get there don't
retry. It is pretty much clear. Murray, the same thing about the missing
reference base64 URL encoding, the new revised ID request is there. So I think
it was two simple and valid discuss, I should've spotted them before. I would
assume that those two discusses will be clear, and we will just get enough
ballots to pass. Now the abstaining is concerning, of course. I don't know what
to do, obviously, there's been some discussion back and forth between Paul and
the authors on this one. For me, I obviously respect the abstain position. I'm
not sure now, Paul and Warren if you want to leverage Ben's presence here to
discuss your abstain position.

Warren: To be clear, my abstain is not a grumpy abstain. It's more just sort of
following a little bit of Paul's position. But also, I think this is
significant enough change to the resolution behavior and it involves a fair
amount of not particularly simple DNSSEC considerations that I think that is
really should have had much closer consideration with the DNSOP working group
and review from DNSOP. I mean, there was a DNSOP stir review, but that's not
the same as the having the entire working group look at it. I think that is
sort of fundamental enough set changes that it should have had more discussion
and review across areas.

Eric: Thank you for restating that, I don't know whether you read my email sent
during your night. My apologies for not checking that DNSOP was in WGLC as
well, anyways, it was IETF Last Call so that should have been done at that
point of time. Normally, I would double check that but I didn't this time.
Sorry about that.

Paul: My problem is, part of it is the generic problem of the ADD working group
which has left the client policy out of charter because there's never going to
be an agreement on client policy because half the people want the network to
trump, and half the people want the client to trump about security decisions
and so the whole client security is out of scope. Instead of having in this
document a section on what is the client supposed to do and what is the proper
implementation for prime policy? It only puts in some security considerations
because it can't really give a full set of, this is what the client should do
because they would go against the charter. This is not something the authors
can fix it, it's just an artifact of how the ADD working group formed. My
second important point is, I think the split DNS is a concept and this document
kind of like weasel worth itself into changing that concept. I think the
concept of a split DNS is, you have a public zone worldwide, you have a couple
hundred branches that have all their own internal zones that are either split
off or copies of that zone. They are completely run independently so these
people don't talk to each other at all and they have to talk to each other to
make it work. On top of it needing DNSSEC, on top of it the client does DNSSEC,
and the public zone does DNSSEC so all in all, this becomes, to me,
un-deployable. It has a lot of complexities. I did chat a bit with John about
this, and I do agree that my objection, at this point, really comes down to I
don't think this is ever going to work and if it's not a standards track
document then I think it's not going to be useful but harmless because people
aren't first implemented whereas if it's a standards track then implementers
might think they must implement this. I think that's too much. I think if this
is changed to experimental then I will change my abstain to no objection.

Eric: Ben has raised his hands, Ben, do you want to reply to this? I want to
note, Paul, that there are so many standards track RFCs that are not
implemented or not even deployed, but it's not the reason. I do agree, it's not
the reason. Warren, do you mind if Ben speaks first?

Warren: No, go ahead.

Ben: I just wanted to clarify a DNSSEC is not a prerequisite for implementation
of this draft. We did a lot of work to make it fully compatible with DNSSEC,
but there is no requirement it's going to be signed. There's no requirement for
the client to be validating.

Paul: It is because you are equally transport security with data origin
security. You're saying if you've got a TLS connection to a trustworthy point
and a network then you can consume untrusted DNS and treat as trusted. That's
just a fundamentally wrong concept. I'm not going to say that DNS for TLS is
equivalent to DNSSEC.

Ben: It sounds in that case, you have a technical objection to part of the
draft because we do have some reliance on transport security. The draft does
not claim that transport security is equivalent to DNSSEC, it does not set the
DO bit, it does not use that in some general way as a substitute.

Paul: No, you just said you trust the DNSSEC part or you trust the transport
part of the data.

Ben: The draft makes, in my view, a compelling clear case that in this specific
case, based on the way that this data is being used, based on the security
relevant decisions that are being made in this case, that transport security is
entirely sufficient and appropriate as the foundation for the client to make a
particular choice for a certain set of clients which are described in more
detail in the draft. It also says for other clients with a different set of
starting points of assumptions that DNS could be required for different clients.

Paul: That's just a fundamentally disagreement, and i'm sorry I pushed back to
everyone who's trying to equate DNSSEC with DOT because they're not the same
thing.

Warren: I mean, this document does do an interesting thing where it lets the
zone operator assign the ability for a dot server to own a part of it. I agree
with Paul here, it feels like a very different trust model or different
security model, but again, I abstained not blocked.

Eric: For a sake of time, Ben do you want to say your last point?

Ben: I think this is an interesting case, my view of this document is that a
lot of people have said split-horizon DNS is impossible to do without resolving
the question of who is in control. We have to figure out if the client is
always in control? And just bypass the network for DNS. Is the network always
in control? And the client must do whatever the network tells it to do. The
point of this draft, in my view, is to say look, it is possible to do
split-horizon DNS without having to resolve this enormous fight. We can
essentially find a middle ground position here where networks can create
split-horizon zones, where clients can access them without handing over DNS
total control of the network. The network can prove precisely what they should
own and client can safely respect only that. I think it's a powerful
demonstration that this is possible, that there is a middle position here, a
technical solution to what looks like a political problem.

Paul: Let's assume that the network allows a client to send DNS packets over an
encrypted transport out of the network that it cannot inspect while offering
this network service. If you look at an enterprise solution, whereas split DNS
is the most common one, the two common ones are enterprise and university
deployment. The university might go 'whatever you want to do. We just also have
this 100 private zones that we don't put in the public DNS, and we'd like them
to work.' so in that case, I think you're right. This might work, but for the
enterprise case, I don't think the enterprise one shoot to have an unfiltered
extraction channel that they cannot monitor, but you can just send any data to
you right, other servers. In that sense, this mechanism is not going to work
because they're going to block your DNS and you're going to be forced to use
the odd path network.

Ben: I can't speak to what enterprises would want to do for that. But what I
would say is certainly any enterprise in that position shouldn't be allowing
clients on the network that aren't fully controlled by the enterprise.

Eric: Ben, Paul, thank you so much for the discussion. Should they be involved
in the ADD working group? Murray, you still have your discuss holding. John was
kind enough to clear it. Murray, are you ok enough with the new draft?

Murray: I saw that a draft has come through, my request wasn't complicated so I
imagine i'll be able to get out of your way shortly.

Paul: I can confirm that the new draft does fix Murray's concern.

Warren: I do agree with Ben that this does do a clever and cool solution to the
can you do split DNS in some way where you have authority. I just fundamentally
don't know if that's a useful thing for people to be doing. I kind of think
split DNS is somewhat of an abomination not to nag. Well done on managing a
solution to the split problem.

Erik: Even in the enterprise case, if they are permitting some security DNS
transport, that was discussed in the document, right? Being transmitted by DNS
stuff.

Warren: I still don't think split DNS is a good solution. What happens if
people have the webpage open or something and then they take their laptop home
and then their laptop connects to coffee shop home network and suddenly things
don't resolve or you leak the internal query, because various things leak DNS
information out including taking a laptop home.

Erik: And for Paul's concern, is this worse? Doesn't make it worse than the
state of things today.

Warren: I think it actually is, but then again I'm only abstaining.

Murray: Now i'm genuinely curious, you use the abomination, are we solidifying
an abomination by letting this go ahead? I thought split DNS is more common
than that.

Warren: It is common, but less over time I think when people realize it doesn't
really do what people want. Also, things like certificate transparency, they
used to be this view that you could keep a whole chunk of your name space
private, but with certificate transparency, if you get a certificate for any
sort of internal name it shows up in the CT logs and so the security or private
or whatever you think you get from split DNS doesn't apply anymore.

Eric: Until Murray clears his discuss, it will stay in IESG evaluation, AD
follow-up. I'll approve it once it clears.

Murray: I heard experimental get bandy around, did we decide we're not going to
do that?

Warren: I don't really understand how if it was experimental, what the
experiment would be. If we publish the document that people implement, you
can't really take it back.  I don't think this is really experimental.

Eric: Agree.

Murray: When Ben was describing it, the language you use described it as a very
particular way to do a very particular thing like a very limited client set and
that sounds an awful lot like the way we define applicability statements, which
forces it to be a proposed standard. But that's a collection of things that
already exist, arranged in a particular way to accomplish a particular thing.
Maybe that's not's not a good example.

Warren: I think the status and everything is fine. Would like to hold my nose.

Murray: The reason why i'm waffling a bit because if you manage to convince me
to hold my nose too, that might be enough balance to hold this entirely. That's
why I'm trying to be careful there.

Warren: I don't think you need to hold your nose.

Murray: I'll comment something when I resolve my discuss.

Liz: This document is staying in IESG Evaluation; AD follow-up.

 o draft-ietf-cbor-update-8610-grammar-05  - IETF stream
   Updates to the CDDL grammar of RFC 8610 (Proposed Standard)
   Token: Orie Steele

Liz: There are no discusses, unless there's an objection it looks like this one
is approved. Ok, this one is approved. Orie, is this ready to go as is?

Orie: It will be revised ID needed. I would like to see some parts of Paul's
comment addressed in the revision to the security consideration. I don't know
if Paul would like to say anything else.

Paul: No, I just sent Carsten an email saying pick one of the two things you
proposed is fine.

Orie: Perfect. Thanks.

Liz: This document will be approved announcement to be sent; revised ID needed.

 o draft-ietf-rats-eat-27  - IETF stream
   The Entity Attestation Token (EAT) (Proposed Standard)
   Token: Roman Danyliw

Liz: There are no discusses, unless there's an objection it looks like this one
is approved.

Eric: I guess AD follow-up to give Roman a chance to do something, right?

Liz: Yes. Ok, not hearing any objections so this document is approved
announcement to be sent; AD follow-up.

 o draft-ietf-dnsop-qdcount-is-one-03  - IETF stream
   In the DNS, QDCOUNT is (usually) One (Proposed Standard)
   Token: Warren Kumari

Liz: There are no discusses, unless there's an objection it looks like this one
is approved.

Warren: Five yeses, feels like a record.

Murray: I think eight was the record.

Liz: Warren, is this ready to go?

Warren: I believe it's ready.

Liz: Are you sure? Do you want to mark it as AD follow up?

Warren: Ok, AD follow-up.

2.1.2 Returning items

 NONE

2.2 Individual submissions
2.2.1 New items

 NONE

2.2.2 Returning items

 NONE

2.3 Status changes
2.3.1 New items

 NONE

2.3.2 Returning items

 NONE

3. Document actions
3.1 WG submissions
3.1.1 New items

 o draft-ietf-dnsop-zoneversion-08  - IETF stream
   The DNS Zone Version (ZONEVERSION) Option (Informational)
   Token: Warren Kumari

Liz: We have some discusses, do we want discuss it now?

Warren: I would like to discuss these because it feels like very much no matter
which thing we choose for documents like this a subset of people are gonna
discuss and be like 'I don't understand why this is PS when it should've been
informational' or 'I don't understand why it's informational when it should've
been PS.' We had a very similar document where it came in as PS and got
downgraded to informational so I don't understand which way I should be doing
these in the future, and I guess i'm just gonna make them primarily PS because
it's easy to downgrade from PS to info versus another last call. I've had
people complain it's not protocol enough to be PS in the past, that's why we
chose informational. I guess it requires another IETF Last Call and hopefully
it will clear.

John: I'm happy to clear my discuss after this discussion.

Warren: It's a judgment call, but I thought PS originally but i've been bitten
in the past so many times so if folks would like it to be PS and you think it's
PS, I believe the authors are okay with us doing it as another.

John: It just smelled exactly like a PS to me, but seemed like other people
thought so too but weren't willing to go all the way to a discuss. So I did it.
Do you want me to just drop the discuss and you do whatever you think is the
right thing? Or do you want me to hold it for form sake?

Warren: Please hold it for form's sake, I don't remember what I actually need
to do to make it. I guess just ask the authors to resubmit as PS and do another
last call?

Eric: Yes, I think it's cleaner.

Paul: Just for a record, my discuss has been answered and Duane is dealing with
it so we're good there.

Liz: So for this one it will stay on IESG evaluation, do you want a revised ID
on that?

Warren: Yes, revised ID. I need to ask them to submit a new one with PS.

3.1.2 Returning items

 NONE

3.2 Individual submissions via AD
3.2.1 New items

 NONE

3.2.2 Returning items

 NONE

3.3 Status changes
3.3.1 New items

 NONE

3.3.2 Returning items

 NONE

3.4 IRTF and Independent Submission stream documents
3.4.1 New items

 NONE

3.4.2 Returning items

 NONE

4. Working Group actions
4.1 WG creation
4.1.1 Proposed for IETF review

 NONE

4.1.2 Proposed for approval

 o DNS Delegation (deleg)

Warren: I think we've dealt with Roman's block. I added some milestones.

Liz: Apart from Roman's block, does anyone have anything else to discuss? I'm
not hearing anything so we'll just wait for Roman to clear his block and leave
it where it is for now.

Warren: So I do need to let you know as well, it doesn't automatically happen?
I should still send this is now approved message?

Liz: Yes, please.

4.2 WG rechartering
4.2.1 Under evaluation for IETF review

 NONE

4.2.2 Proposed for approval

 NONE

5. IAB news we can use

Liz: They had an executive session this week, so I don't think they have
anything.

6. Management issues

6.3 IETF 120 Agenda Conflict Resolution (Liz)

The management item was discussed.

6.1 [IANA #1364810] renewing early allocations for
draft-ietf-netmod-syslog-model (IANA)

Liz: This is for one of Mahesh's groups, but Mahesh has already left. Did
anyone happened to look at this or talk to Mahesh about since last week?

Warren: Quick process question: assuming that we don't approve it now, can we
approve it during the meeting in London or can we not do real things?

Eric: What we talked about last time, this should be public discussion and the
retreat is not.

Warren: Us saying yes, this is cool should be public? Ok.

Eric: I think so.

Warren: Does anyone object to this even though Mahesh isn't here?

Liz: This is the third renewal presumably someone had said yes before.

Warren: I'm fine with it.

Cindy: Just a note, if you guys wait to approve it at the next telechat, the
next telechat day is the day it's going to expire.

John: Let's not have it expire just because we can't get around to putting it
on the right agenda at the right time. I don't have an objection to renewing it.

Warren: Going once, going twice.

Liz: Ok, this has been approved and we'll send that official note to IANA.

6.4 [IANA #1366749] renewing early allocation for
draft-ietf-lsr-dynamic-flooding (IANA)

Liz: This is one of Gunter's groups.

John: This is one of my documents though, that document is in the RFC editor
queue now so we should renew.

Liz: We'll renew this one as well and send that note to IANA.

6.5 [IANA #1366921] Designated experts for RFC 9577 (The Privacy Pass HTTP
Authentication Scheme) (IANA)

Liz: This was the item we assigned to Paul at the top of the call.

6.6 Executive Session: IANA problematic submitter (All)

This management item was discussed in executive session.

6.2 Executive Session: IETF 125 Planning (Roman)

This management item was discussed in executive session.

7. Any Other Business (WG News, New Proposals, etc.)