Note takers: David Dolson & volunteer? CAPPORT Working Group IETF 99 Prague 2017-07-18 15:50-17:50 Tuesday Afternoon session II Chairs: Erik Kline, Martin Thomson Materials: https://github.com/capport-wg/wg-materials/tree/master/ietf99 Martin: - dates for deliverables are in the past, and some of the milestone docs are probably not relevant - we want to deliver something. (A/V is hard) - is minimum set OK? David Dolson: need to notify non-http-80 Tommy Pauly: expect to interact with web pages Martin: considers status code 511 to be dead until new information. Agenda Administrivia 5 Chairs MVP 20 Chairs Architecture 20 Dave Dolson https://datatracker.ietf.org/doc/html/draft-larose-capport-architecture Did anyone take notes while Dave was talking?? Tommy: if adopting, work in parallel, not waterfall. Adam Roach: Low value in problem statement Martin: adopt? Margaret: discuss adoption after other slides & discussion Martin: Mark Nottingham doesn't want to work on problem statement; so we would incorporate the good parts into arch doc. ICMP 20 David Bird https://datatracker.ietf.org/doc/html/draft-wkumari-capport-icmp-unreach Lorenzo no-nametag: how to tell attacker session-ID vs. proper session-ID. David Bird: can check quoted packet David Dolson: session-ID help filter out duplicate messages Lorenzo: ephemeral port ranges are not huge; not hard to guess Dave Dolson: in arch doc we said worst case ICMP impact is going to API and asking Tommy: want to keep ICMP simpler, not put a lot in ICMP no-nametag: I don't understand how we say both the ICMP is a hint and also that API and ICMP can be out of sync. Otherwise we need security on ICMP. If it is a hint, OK. but if it gives more then there are security issues. Tommy: building on that, I see your point, but I don't have a ton of sympathy for the complexity argument bc today there is a web server that can tell me how much time, and can control the enforcement point. We should be able to do an API that is as simple as a web portal serving up a static/dynamic web page. Martin: Some feedback I got was (a) there are far too many bits & messages (maybe dest unreach is enough), you allow provider to provide discriminatory services. David B: That's what walled garden does. We shouldn't go there. Martin: we should be very careful about talking about discriminatory services. We need to be very careful about what we say, including social effects. David B: is this applicable to ICMP? Martin: Yes, fine grained control my enable it. Dave Dolson: if we bring more in scope, we could restrict the enforcement point to having a single tier. PvD 20 Tommy Pauly https://datatracker.ietf.org/doc/html/draft-bruneau-intarea-provisioning-domains Martin: Do you mean that if there is non-capport PvD, do probing funny-business is not required? Tommy: yes Margaret: some odd timing things. If you get capport PvD, you can't send traffic until checking PvD API. Lorenzo: I'm not optimistic we will get this soon. Realistically, until we get to HTTPS everywhere, this might provide wrong incentives. Lorenzo: Do you really want to wait until letting traffic use the network? Tommy: today, we wait for capport probe to complete until allowing network access. David Bird: confused by flow: what if PvD API is misconfigured or lying? Tommy: this is not a new thing; capport defeating approaches happen today. Devices will consider the network to be evil. Dorothy Stanley: How does the client trust the information? Or does it not? Tommy: need more in-depth analysis. In this case, PvD is secure connection. Assuming HTTPS. Eric Vinke: in ? protocol, a blob sent back, advertise prefixes in the JSON. (I didn't understand this point) Martin: maybe not giving security, just misconfiguration protection? David B: doesn't get rid of probe. Tommy: if someone is browsing to a server they want to go to, it isn't wasted. Pierre Pfister: in IPv6 it is generally accepted the RA is trusted. Lorenzo: Can we ignore this problem? Tommy: yes David B: security is provided by TLS. Do you present the cert to the user? Tommy: Yes, in demo, yes we presented FQDN to user. API 20 Mark Donnelly https://datatracker.ietf.org/doc/html/draft-donnelly-capport-detection Eric Kline: in favor of the reduction. What might non-default networks in the API mean? Mark: intended to provide different ways of accessing Eric: is there overlap with PvDs Yes r Martin: the question is, with multiple PvDs, do you need multiple networks at this layer? Tommy: no Martin: what is session token? Mark: people seemed to want session token. o Lorenzo: can we update on demand? Lorenzo: counting issues: when does client know it has reached limit: Maybe ask at 80%? Dave Dolson: Please see my comments on the API wrt style of using GET vs. POST and RESTful approach. David Bird: wrt counting... (missed this) Martin: Three questions: 1. for arch doc, do we want a milestone for architecture. Humming: in favor. 2. is the document a good basis for the milestone? Humming: in favor. 3. do we need milestone for the ICMP signal? Humming: divided: not clear. 4. API document: do we need a milestone? Humming: in favor. 5. Is this document a good basis. Humming in favor. Probably will cut milestones back by removing survey and taxonomy. (Discuss with AD)