Wednesday, March 21, 2018

 15:20-16:50 Afternoon Session II

Palace C

0. Administrivia (5m)

New co-chair: Eric Vyncke

Co-chair stepping down: Gunter Van de Velde

 

*         Blue Sheets

*         Note taker: Gunter Van de Velde

*         Jabber scribe: Warren Kumari

*         Agenda bashing

OPSEC WG Agenda accepted

 

1. WG Documents (20 minutes)

*         WG documents update by the chairs (3 minutes).

*         draft-ietf-opsec-v6, Operational Security Considerations for IPv6 Networks, Merike Kaeo or Eric Vyncke (15 minutes)

 

Enno Rey added as editor of the draft

Main changes:

• ULA text added/changed:
• Fred Baker: Is the filter ever activatedif the traffic is never routed there
• Eric V: As security person, it would be wise to do that
• Ron Bonica (chair hat off): Should a ACL not be src/dest pair?
• Ruediger: That would break ICMP
• Lorenzo Colleti: It has to be source OR destination, as otherwise packets can be spoofed and that sounds as bad idea
• Ron Bonica: agrees on src or dst but what about execptions for IPTV?
• Jeff Haas: Exceptions are bad
• Warren Kumari: What aout using part of the bogings filtering
• Bob Hinden: Is this different as RFC4993, as it should have same language?
• Bob Hinden: quoting other documents is good, but summarizing results in loosing information
• XXX: Knowns about infrastructures of using exclusive ULA addresses, and using NAT at the edge. Propose to make text more clear to not purely prescribe it can not be done
• Lorenzo Colleti: Text here should say ULA not required and not recommended
• Tim Chown: ???
• Lee Howard: The text should say that ULA The existing of ULA does not automatically assume translation is implemented. (timestamp: 15:38h)
• Lorenzo Coletti: I do not agree with that text
• Text on Tunnels:
• Ole suggested to remove the text on 6to4 and TEREDO, while editors prefer to keep the text as security architects may have questions about this

 

Co-authors, will ask for WGLC

 

á    Lorenzo Coletti: text was written long long agoÉ things as disabling SLAAC and DHCPv6 obly, and best practices say not recommended. Also v6 address on MAC is deprecated, needs to be fixed. Disabling privacy addresses is pretty silly for this purpose. The document should say something about L2 and L3 filtering. Document should say something about SAVI.(timestamp: 15:43 for list of sections to revise)

á    Tim Chown: a section on address accountability would be a good thing

á    Merike Kaeo: We will need to figure out what rough consensus means in this matter as there are soo many different opinions

á    Ron Bonica; Who can review the text before WGLC in 2 weeks is started: Lorenzo Coletti, Tim Chown and Fernando volunteered after feeling guilty

 

 

*         draft-ietf-opsec-ipv6-eh-filtering, Recommendations on the Filtering of IPv6 Packets Containing IPv6 Extension Headers. Fernando Gont (2 minutes).

 

 

Other non WG documents

*         draft-sriram-opsec-urpf-improvements, Enhanced Feasible-Path Unicast Reverse Path Filtering, Kotikalapudi Sriram (15 minutes)

 

Presentation of draft updates

Ruediger Volk (DT): Did you consider various anycast ruting schemes and the interaction on this

Sriram: not yet

Ruediger: worried about transcient situations in routing and this RPFmechanism

Jeff Haas (Juniper): This set of document is not to be ALL complete. Event further away from interfacewill take time. And is there a need to do things real time? How would the functional correctness be? 

Igor lockhart (Akamai): BCP38 does not work for complex systems. Agrees that this is important work to address.

Jared Mauch: An algorithm like this is going to be very complex, and with the internet having shorted AS-paths (cloud-consumer) it makes this type of enhancements questionable

Jeff Haas: There are other ways on how to insert state.

 

Eric Vyncke: Humm to  have as WG document: hum medium

Humm for not WG document: Hum low

Will be asked onlist to adopt as WG document 

 

*         draft-camwinget-tls-use-cases, TLS 1.3 Impact on Network-Based Security, Nancy Cam-Winget, Flemming Andreasen (15 minutes)

 

Presentation of draft

Question: Enhanced dillfie helman must be used, and the text allowsdifferently

Nancy: The text should be saying the correct thing normally

XXX: Who needs this?

Eric Rescolla: The cypher is in the clear

Nalini: Would like tohave a

Tim xxx: This document is filled with inacuraties. And has questions about the point of this document.

Nancy: Purpose of draft is to articulate how securities things are done in current networks and how network security solutions evolve in their pat to TLS1.3

Andreasen: Our purpose is to document TLS1.3 complications to implement

   

 

*         draft-paillisse-sidrops-blockchain, An analysis of the applicability of blockchain to secure IP addresses allocation, delegation and bindings, Jordi Paillisse (15 minutes)

Presented the slides

(no time for questionsÉ overrun in time)

 

 

*         draft-balarajah-bmwg-ngfw-performance, Benchmarking Methodology for Network Security Device Performance, Carsten Rossenhoevel  (15 minutes)

 

Presented the slides

Macy (University of Essex): traffic mix construction? 

Carsten: What counts is the number of URLs and a real mix

Macy: How to construct those traffic mixes and how to best make that public

Carsten: Asking 

Time Chown: What is NetsecOpen?it is not mentioned in the draft. And also the high performance tests are not included in the text yet?

Carsten: good comment and we need to look into it

Jeff Haas: Which ciphers and IKE options to use? What about the traffic mixes on high and low throughput fragments

Al Morton: (co-chair of BMWG): would like to have discussion on BMWG and get this as result adopted in BMWG as a WG document.