[{"author": "Deb Cooley", "text": "rats sent a report
", "time": "2022-03-24T09:05:22Z"}, {"author": "Ned Smith", "text": "RATS report is posted on the saag mailing list
", "time": "2022-03-24T09:05:40Z"}, {"author": "Roman Danyliw", "text": "@Deb and Ned -- oops, I missed that
", "time": "2022-03-24T09:06:44Z"}, {"author": "Sean Turner", "text": "+1 to what Justin said
", "time": "2022-03-24T09:06:58Z"}, {"author": "kaduk@jabber.org/barnowl", "text": "Yes, thanks Justin for bringing up HTTP message signing/digest
", "time": "2022-03-24T09:07:40Z"}, {"author": "Valery Smyslov", "text": "DOTS has sent a report (not menntioned in slides)
", "time": "2022-03-24T09:07:49Z"}, {"author": "Paul Wouters", "text": "clear
", "time": "2022-03-24T09:08:26Z"}, {"author": "Sean Turner", "text": "as Shepherds I forget and the ADs catch
", "time": "2022-03-24T09:12:49Z"}, {"author": "Jonathan Hammell", "text": "The SECRET BoF listed on the SAAG slides did not meet during this week, but had a virtual meeting 2022-02-10.
Minutes: https://datatracker.ietf.org/meeting/interim-2022-secret-01/materials/minutes-interim-2022-secret-01-202202100900-00
Recording: https://www.youtube.com/watch?v=SDu4kKEJwCQ
", "time": "2022-03-24T09:13:45Z"}, {"author": "Sean Turner", "text": "wooohooo
", "time": "2022-03-24T09:14:25Z"}, {"author": "Tim Cappalli", "text": "W3C FedID CG I mentioned: https://github.com/fedidcg
", "time": "2022-03-24T09:16:41Z"}, {"author": "kaduk@jabber.org/barnowl", "text": "Thanks Tim!
", "time": "2022-03-24T09:16:52Z"}, {"author": "Paul Wouters", "text": "also true for Shepherds :)
", "time": "2022-03-24T09:16:53Z"}, {"author": "Yoav Nir", "text": "a little DANCE
", "time": "2022-03-24T09:17:34Z"}, {"author": "sftcd", "text": "@turner: whatcha upto there with tls errata? :-)
", "time": "2022-03-24T09:18:17Z"}, {"author": "kaduk@jabber.org/barnowl", "text": "sftcd: only hounding the AD with a list of proposed dispositions once
a year
", "time": "2022-03-24T09:18:44Z"}, {"author": "Kathleen Moriarty", "text": "@turner's winning!
", "time": "2022-03-24T09:19:17Z"}, {"author": "Sean Turner", "text": "clap clap clap
", "time": "2022-03-24T09:19:32Z"}, {"author": "Deb Cooley", "text": "@ tim - TY for that link
", "time": "2022-03-24T09:19:47Z"}, {"author": "Sean Turner", "text": "errata?
", "time": "2022-03-24T09:20:20Z"}, {"author": "kaduk@jabber.org/barnowl", "text": "Bigger numbers are better, right? TLS tops the errata chart
", "time": "2022-03-24T09:20:39Z"}, {"author": "sftcd", "text": "it's probably because nobody uses tls
", "time": "2022-03-24T09:21:04Z"}, {"author": "Sean Turner", "text": "yeah BEN!!!!!!!!!!!!!!!!
", "time": "2022-03-24T09:21:25Z"}, {"author": "Kathleen Moriarty", "text": "Thank you, Ben!!
", "time": "2022-03-24T09:21:34Z"}, {"author": "Russ Housley", "text": "Many thanks to Ben!
", "time": "2022-03-24T09:22:01Z"}, {"author": "Chris Inacio", "text": "Much thanks Ben.
", "time": "2022-03-24T09:22:11Z"}, {"author": "Yoav Nir", "text": "+1 thanks, Ben
", "time": "2022-03-24T09:22:13Z"}, {"author": "Sean Turner", "text": "Where's the hat :)
", "time": "2022-03-24T09:23:03Z"}, {"author": "Sean Turner", "text": "nice!
", "time": "2022-03-24T09:23:27Z"}, {"author": "Robin Wilton", "text": "Ben Kadukenobi
", "time": "2022-03-24T09:23:41Z"}, {"author": "Russ Housley", "text": "Security ADs always have the the records for the number of DISCUSS ballot positions.
", "time": "2022-03-24T09:24:04Z"}, {"author": "Robin Wilton", "text": ":clap::clap::clap::clap:
", "time": "2022-03-24T09:24:33Z"}, {"author": "Chris Inacio", "text": "there's a few minutes left.
", "time": "2022-03-24T09:24:59Z"}, {"author": "kaduk@jabber.org/barnowl", "text": "@meetecho adjust camera to speaker please
", "time": "2022-03-24T09:26:21Z"}, {"author": "kaduk@jabber.org/barnowl", "text": "thank you!
", "time": "2022-03-24T09:26:26Z"}, {"author": "Sean Turner", "text": "wait there is an X :)
", "time": "2022-03-24T09:26:29Z"}, {"author": "Sean Turner", "text": ":)
", "time": "2022-03-24T09:26:46Z"}, {"author": "Roman Danyliw", "text": "That was the my typo of IPSec ... wait IPsec
", "time": "2022-03-24T09:27:36Z"}, {"author": "Jonathan Lennox", "text": "IPsec is French for \"Dry IP\", right? Like a vin sec?
", "time": "2022-03-24T09:28:05Z"}, {"author": "Ted Hardie", "text": "So IP brut is the non-IPsec version?
", "time": "2022-03-24T09:28:48Z"}, {"author": "Yoav Nir", "text": "The reason it's controversial is because of the book by Dan Harkinshttps://books.google.co.il/books?id=ZKIxicvgGJ8C&printsec=frontcover&hl=iw&source=gbs_ge_summary_r&cad=0#v=onepage&q&f=false
", "time": "2022-03-24T09:29:31Z"}, {"author": "sftcd", "text": "that image would work for tls too, what else?
", "time": "2022-03-24T09:29:34Z"}, {"author": "Chris Inacio", "text": "few are willing to use IP brut, it's too strong
", "time": "2022-03-24T09:29:35Z"}, {"author": "Ted Hardie", "text": "@sftcd HTTP? with QUIC coming up fast?
", "time": "2022-03-24T09:31:32Z"}, {"author": "sftcd", "text": "oh yeah quic works, maybe wins best newcomer (to qualify for that image)?
", "time": "2022-03-24T09:32:06Z"}, {"author": "Yoav Nir", "text": "child SA != IPsec SAWhen you rekey an IKE SA, the new IKE SA is a child of the old IKE SA. So \"child SA\" does not tell you what kind of SA it is. So \"IKE SA\" and \"IPsec SA\" are better terms.
", "time": "2022-03-24T09:35:20Z"}, {"author": "kaduk@jabber.org/barnowl", "text": "Sounds like Yoav agrees with Paul about what terms are most useful,
then :)
", "time": "2022-03-24T09:36:26Z"}, {"author": "Roman Danyliw", "text": "Ports? TCP? UDP? Is that the a website?
", "time": "2022-03-24T09:36:27Z"}, {"author": "sftcd", "text": "they should all use the webrtc stack
", "time": "2022-03-24T09:36:51Z"}, {"author": "Yoav Nir", "text": "\"compression considered harmful\"
", "time": "2022-03-24T09:37:30Z"}, {"author": "Kathleen Moriarty", "text": "Are you guys trying to get Stephen Kent to watch with all the \"S\"s :-)
", "time": "2022-03-24T09:38:00Z"}, {"author": "Valery Smyslov", "text": "Transport mode can also be used with UDP encapsulation, but you need to fix IP checksums on receiving end.
", "time": "2022-03-24T09:41:25Z"}, {"author": "Valery Smyslov", "text": "I meant with NATs
", "time": "2022-03-24T09:41:55Z"}, {"author": "Yoav Nir", "text": "But sometimes port 443 (yes, UDP) was found to be open
", "time": "2022-03-24T09:43:06Z"}, {"author": "Jan-Frederik Rieckers", "text": "ESP oder DNS?
", "time": "2022-03-24T09:43:14Z"}, {"author": "Jan-Frederik Rieckers", "text": "*over
", "time": "2022-03-24T09:43:19Z"}, {"author": "Yoav Nir", "text": "I don't think that was done, but ESP over ICMP totally happened
", "time": "2022-03-24T09:43:38Z"}, {"author": "Jan-Frederik Rieckers", "text": "(I'll find my own way out) /sarcasm off
", "time": "2022-03-24T09:43:46Z"}, {"author": "Yoav Nir", "text": "You can't think of an idea so crazy that nobody shipped it in a product
", "time": "2022-03-24T09:44:12Z"}, {"author": "Deb Cooley", "text": "Is that a challenge?
", "time": "2022-03-24T09:44:45Z"}, {"author": "Valery Smyslov", "text": "IPsec over TLS is also defined in RFC 8229
", "time": "2022-03-24T09:45:19Z"}, {"author": "Jan-Frederik Rieckers", "text": "See RFC 1926 6aI'm always surprised how some people assume this is a challenge.
", "time": "2022-03-24T09:45:29Z"}, {"author": "Yoav Nir", "text": "At my previous employer we encapsulated ESP packets in a TCP stream to port 443, because TCP port 443 is always open. We called it \"visitor mode\" because you needed it when you visited a customer.
", "time": "2022-03-24T09:47:47Z"}, {"author": "Jan-Frederik Rieckers", "text": "I actually used VPN over DNS successfully on a Hotspot where I did not have credentials. It is amaizing how you can use protocols for horrible things. https://github.com/yarrick/iodine
", "time": "2022-03-24T09:48:16Z"}, {"author": "Robin Wilton", "text": "Step 6 is something to do with underwear, right? #SouthPark
", "time": "2022-03-24T09:49:46Z"}, {"author": "kaduk@jabber.org/barnowl", "text": "It would be interesting to see some trend-over-time numbers for what
fraction of TLS connections use an ephemeral key exchange.
", "time": "2022-03-24T09:50:25Z"}, {"author": "sftcd", "text": "yeah but tls has more errata
", "time": "2022-03-24T09:50:41Z"}, {"author": "Scott Fluhrer", "text": "Actually, IKEv2 has been updated for preshared postquantum security
", "time": "2022-03-24T09:52:03Z"}, {"author": "kaduk@jabber.org/barnowl", "text": "as an extension, sure, vs part of the base protocol behavior
", "time": "2022-03-24T09:52:27Z"}, {"author": "kaduk@jabber.org/barnowl", "text": "That's a lot of round-trips even before your large TLS certificate
chain causes fragmentation at the EAP layer (which has to get an ACK
back before sending the next fragment)
", "time": "2022-03-24T09:58:15Z"}, {"author": "dkg", "text": "just start over from the beginning, Paul!
", "time": "2022-03-24T10:03:37Z"}, {"author": "Sean Turner", "text": "so cute!
", "time": "2022-03-24T10:04:01Z"}, {"author": "dkg", "text": "thanks Paul!
", "time": "2022-03-24T10:04:15Z"}, {"author": "kaduk@jabber.org/barnowl", "text": "Thanks Paul!
", "time": "2022-03-24T10:04:25Z"}, {"author": "Robin Wilton", "text": "Thanks Paul, that was a really interesting tour.
", "time": "2022-03-24T10:04:25Z"}, {"author": "Valery Smyslov", "text": "Thanks, Paul! Very good introduction.
", "time": "2022-03-24T10:05:49Z"}, {"author": "Florence D", "text": "For the notes, who is speaking please?
", "time": "2022-03-24T10:07:39Z"}, {"author": "Scott Fluhrer", "text": "That's Tero
", "time": "2022-03-24T10:07:47Z"}, {"author": "kaduk@jabber.org/barnowl", "text": "Tero Kivinen
", "time": "2022-03-24T10:07:47Z"}, {"author": "sftcd", "text": "tero
", "time": "2022-03-24T10:07:49Z"}, {"author": "Florence D", "text": "Thanks
", "time": "2022-03-24T10:07:50Z"}, {"author": "kaduk@jabber.org/barnowl", "text": "google seems to find a draft-nikander-esp-beet-mode from 2008
", "time": "2022-03-24T10:08:30Z"}, {"author": "kaduk@jabber.org/barnowl", "text": "PPM, I think, shares some properties with ODOH and OHAI
", "time": "2022-03-24T10:09:26Z"}, {"author": "sftcd", "text": "robin's question is a good one, dunno if there's a good way to describe 'em all usefully though
", "time": "2022-03-24T10:10:58Z"}, {"author": "Steffen Klassert", "text": "draft-nikander-esp-beet-mode-06 is (partially) implemented in Linux.
", "time": "2022-03-24T10:11:05Z"}, {"author": "Deb Cooley", "text": "Isn't that just normal proxy behavior?
", "time": "2022-03-24T10:11:19Z"}, {"author": "Florence D", "text": "Can it be done generically or does it need to be done on a per-protocol basis?
", "time": "2022-03-24T10:11:28Z"}, {"author": "Deb Cooley", "text": "hiding the real client?
", "time": "2022-03-24T10:11:31Z"}, {"author": "Russ Housley", "text": "Does Robin's question belong in the IAB t-model program?
", "time": "2022-03-24T10:11:36Z"}, {"author": "Florence D", "text": "Clarity around the trust model seems important for any new protocol.
", "time": "2022-03-24T10:11:40Z"}, {"author": "sftcd", "text": "@russ: not sure, answers would depend on e.g. fact that handset vendor might be operator of some of those proxies
", "time": "2022-03-24T10:12:17Z"}, {"author": "Richard Barnes", "text": "@Russ Model-T !
", "time": "2022-03-24T10:12:32Z"}, {"author": "Stuart Card", "text": "Thanks all for the BEET tips. I actually use it routinely with HIP but have always been bothered by its apparent lack of formal documentation.
", "time": "2022-03-24T10:12:39Z"}, {"author": "Robin Wilton", "text": "Good point, Donald!
", "time": "2022-03-24T10:13:14Z"}, {"author": "Stuart Card", "text": "I thought maybe it was only called BEET in the HIP docs and called something else in other docs.
", "time": "2022-03-24T10:13:20Z"}, {"author": "dkg", "text": "DNS domain registration by proxy is another non-network case
", "time": "2022-03-24T10:13:33Z"}, {"author": "Yoav Nir", "text": "The \"freedom of information corp\" has to be trusted to hide the real client
", "time": "2022-03-24T10:14:12Z"}, {"author": "Ted Hardie", "text": "I think a key design goal of those is that if you have a colluding proxy and target you are no worse off than if you had talked directly to the target. So it *might* get better if they do not collude, but it cannot get worse. To get that, you pay with an extra party and the concomittant fragility and latency.
", "time": "2022-03-24T10:14:16Z"}, {"author": "Robin Wilton", "text": "@Donald
", "time": "2022-03-24T10:14:56Z"}, {"author": "sftcd", "text": "\"cannot get worse\" seems optimistic, centralising is a risk
", "time": "2022-03-24T10:15:02Z"}, {"author": "Robin Wilton", "text": "Thanks Roman
", "time": "2022-03-24T10:15:07Z"}, {"author": "Robin Wilton", "text": "@Ted yes, and collusion threats might more easily be discussed if we tease apart the trust model...
", "time": "2022-03-24T10:15:49Z"}, {"author": "Robin Wilton", "text": "Thanks all!!
", "time": "2022-03-24T10:15:55Z"}, {"author": "sftcd", "text": "thanks Ben, enjoy the free time!
", "time": "2022-03-24T10:15:57Z"}, {"author": "Mirja K\u00fchlewind", "text": "Thanks Ben!
", "time": "2022-03-24T10:16:31Z"}]