OPSEC WG Scribe: Eric Vyncke evyncke@cisco.com Plans for this meeting, what we want to accomplish ---------------------------------------------------- No OPSEC meeting for many IETF meeting, mainly due to failing chairs, the hope is to revitalize the WG with the new co-chairs. A lot of expired I-D, after contacting authors, it appears that some will be revived, some others will have to find new author. Some previous milestones were mystifying (not clear) => chairs will go to the Area Directors to get guidance. The charter will be based on what this WG members want. Neither question nor comment from the audience. Milestones with drafts: ------------------------ filter-caps (WGLC in 2007, IESG said more work to be done, Chris -- the original author- has agreed to rewrite it), framework (RFC 3871++), logging-caps, misc-cap, icmp-filtering (Fernando Gont has promised to rework on it) Ron Bonica (AD): the goal of the WG was to have the list of security features to request vendors to implement, while now it appears more like a collection of threats. Milestones without drafts: --------------------------- AAA-capabilities, ... (and few others, but the scribe had no time to take note) New work: filtering BGP customers (wkumari-isp-protocol-filtering), operational security for IPv6 network (KK, Eric, Merike), gont-opsec-ip-options-filtering, SP infrastructure security, open-nmasc (about network management, author=AD said it can die) Warren asks whether there are other proposals for new work: - Wes George: should get the security items from V6OPS & other V6 related WG Operational Security Considerations for IPv6 Networks (K. Chittimaneni) ======================================================================== The -00 deadline was missed but the authors want to already get some ideas & feedback form the WG members. Objectives: analyze the operational security issue for a variety of networks (residential, enterprise, service providers, ....). People know how to manage securely an IPv4 network but not yet an IPv6 one. IPv6 deployment may also introduce more security issues/challenges (NDP, tunnels, multiple IPv6 addresses per interface, ...). With more and more IPv6 deployments, we should aim at sharing security BCP. It will complement RFC 4892. The I-D will work in co-existence with V6OPS & HOMENET. Lee Howard: analyzing all networks with threats & mitigations is probably too ambitious, does it apply only to IPv6? Tim Chown: speaking for HOMENET, work will be welcome Ron Bonica: about the 'analyze issues', the WG started about security features, then SP-oriented and would now move to too many types of networks. Ron asks the room/WG to see what would be the focus of this I-D Lee Howard: supportive of the work, just afraid about the size, residential should be outside of this WG, enterprise is more dubious (because there are already other references) Wes George: the WG should look for operation section of all other WG, should also compare v4 vs. v6 on feature parity, Wes will rephrase on the mailing list Jabber: first WG focus was tier-1 in order to keep focus, should identify threats Eric Vyncke: common issues in enterprises & SP, so, let's kill two birds with one stone, the intent is to work on operational issue Lee Howard: the focus should not be only one existing attacks, be more generic Revision to the charter: ======================== will be done in mailing list. Any other business: =================== No other business