ideas-ietf99-minutes.txt # IDentity Enabled Networks (IDEAs) BoF ## IETF 99, Prague * Date: 19 July 2017 * Time: 13:30-15:00 CEST * Room: Congress Hall II * Chairs: Tim Wicinski * Chairs: Brian Haberman * IESG Overlord: Alvaro Retana * IAB Shephard: Erik Nordmark * [DataTracker](https://datatracker.ietf.org/wg/ideas/documents/) Scribes: Toerless Eckert, Uma Chunduri, Amreesh Phokeer Participants on Meetecho Antonell Molinaro (grey) Bjorn Hjelm (grey) Dhruv Dhody Jean-Michel Esnault (grey) John Leslie (grey) Simon Pietro Romano Wolfgang Beck (grey) --- ## Agenda ### Administrivia * Agenda Bashing, Blue Sheets, etc, 10 min * Why Are We Here?, Chairs, 10 min Intro by Tim "Why we are here" slides from Brian Goal: is there a framework to provide ID-based services * [draft-padma-ideas-problem-statement](https://tools.ietf.org/html/draft-padma-ideas-problem-statement/), Pillay-Esnault 15 min Problem statement by Padma - Motivation: look at perspective of all network actors, ubiquitous mobility, etc - user perspective: context aware features, access control and privacy Slide2: Proposal: identity/identifier split Slide3: Difference between identity and identifier, identity is an enabler and immutable Slide4: Problems addressed Privacy Slide5: Protection against eavesdroppers Encryption of IP packet would conceal the ID header and hence that would defeat identifier services that can be done on Identifier layer in the packet. Slide7: Lack of common infrastructure and primitives - There is a wide diversity of devices and a variety of solutions Slide8: Proposal Identity services that takes care of the identity/identifier split Mapping services for the identifier and location split Change in the protocal is to interact with the other protocols GRIDS-CP protocols to access GRIDS services and other WGs can extend theit CP to utilize the services that would be defined by GRIDS Slide9: Scope of work Slide10: Out of scope not trying to do mapping of domain names Slide11: relationship with other WG IDEAS would want to collaborate with them for more integration Questions: Ravi Ravindran: how much security is exposed and most of the concerns are in the higher layer also "who" would use this? Padma: doesnt need to be service level application, but service aware applications Could be used to prevent unwanted traffic? Uma Chunduri: several use cases listed in use-case draft, eg: IoT use-cases. ICN is about data and naming content not devices TIM(WG-chair): please postpone discussion to next step. Nat Sakimura (NRI/OpenID): Alignement with Access and Management community group identifier and individual within group identifier Padma: need to define what identifier in context of IETF means. Identifier and locator are meant to show where you are. Bobs presentation will show this besser. Sakimura: could help you to align with our community, you could reuse. Luigi on slide8: on the control plane, how to choose the parameters? slide11: careful how to move forward, needs collaboration between WGs Wolfgang riedel: end-to-end encrypted, ID is meaningless. Need to think about different way to identify application. Maybe should widen scope to be closer to applications. Robin Wilton(Internet Society): Taxnomy & Layers we are talking here (network layer, application layer or human layer??) Identity of individual is not relevant in each of these individual layers. Padma: Lets' have Bobs presentation first. Chair (Tim) question: how many deployed LISP in their production network (a dozen) Fabio Maino: HIP/ILA ? Padma: large deployment of ILA in facebook. HIP answer from audience: folks with deployment are not here but exist. Tim(Chair): working at salesforce, deploying LISP scares them, love BGP. Raher write bunch of software with APIs, shp from 5 years ago Padma: Some IDEAs contributors not present, eg: working in IoT. * Identities and Identifiers for ION and the IETF, Moskowitz, 5 min Slide1: what is IDentity and Identifier and why the distinction Definition of Identity for IDEAS: we are talking about identity of machine and NOT on people and identity is unique to an entity which is a machine. Concept of identity can be shared and understood and expressed somehow (support for multiple language of identity), that would make it scalable slide2: What is an identifier for IDEAS? It's an IETF Endpoint that is not routable, it should be transparent to the application and the location/ID mapping system. Parviz Yegani: We have here before in IETF and talked about Identity. NAI has user portion and realm. Scope of IDentity should be billable (like IMSI, which is globally unique). Whay IDEAs is close to IMSI or IMEI?? Bob: Billing as metadata. We want Identity to be access to IDentifier/Location system. Wolfgang Beck: IP prefix irrelevant to application services. Bob: welcoming discussion how to include: Michael Spiegelmock: : why not using public key as identifier? Bob: Which format of public key and what algorithm (is this ID_KEY_ID??) Michael: Its open SSH.. * Host Identity Protocols on Identity and MAPing, Moskowitz, 10 min HIP backgrounder Slide1: HIP is based on a new flat namespace, a valid non-routable IPV6 address. HIT is derived from the Host identity and it is SIGMA compliant to exchange Identity/Identifier between peers. slide2: Explain the HIP base exchange, it is a very lightweight prototol for exchange of identity/identifier. Either party can be an initiator. slide3: HIP Mobility is a concept of a rendezvous service slide4: What happens when a peer moves or both peers move at the same time slide5: HIP weaknesses: there is too much crypto, change in IP stack behavior and HIT discovery Slide 8: HIT discovery can be done much effectively through IDEAS (currently it uses DNS RR) * [draft-xyz-ideas-gap-analysis](https://tools.ietf.org/html/draft-xyz-ideas-gap-analysis/), Cabellos, 15min Slide2: Brief history: IP addresses have overloaded semantics so the solution proposed was to split identity/identifier Slide 3: LISP overview (Identifier, Locator and mapping of these 2 through Mapping system. Slide 4: What are the common operation of ID/LOC protocols Slide 6: How location tracking works in LISP. It is easy for an attacker to track the location of the node, which raises privacy concern Slide 7: Propose policies that will be enforced. Host can define access policies and attackers cannot track if policies are enforced. Slide 8: IDEAS introduce the idea of privacy, it supports fine-grained access policies Slide 9: Concept of identity. Identity helps to tie all the long-lived and ephemeral Identifiers. Slide 10: There are gaps identified in the identifier/LOC protocols and IDEAS introduces the notion of identity Slide 11/12: Slide 13: Gives a summary of gaps identified and therefore IDEAS introduces the notion of identity, strong requirements for privacy and a common infrastructure for identity/identifier and identifier/location mapping Parviz: Identity in fixed network is easier as scope is fixed. But in mobile networks it is difficuilt. What is the scope. Bob: Mobility, multi path is done easily handled. Toerless: It would be good if chairs ask Problem statement and use case draft. Ca. 40%...50% people read problem statement and gap analysis drafts. Georgios: would like to see charter read. Tim: way too dense, take out 75%. This work can be done on the list as well. ADs seemed to be a lot more amenable to spin up WG with a much more lightweight charter. Give yourself room to possibly go backward during work to change exact details of deliverables. Jim Guichard: Questions asked indicate that use-case drafts where not read by questioner. Raise of hands, ca. 50% people read use-case draft. Brian Habermann: is the work to be done well enough defined/understood. Fabio Maino/Cisco: Observation: One preentation seems to be on meta-protocol, mapping identity to identifier (from alberts presentation). Eg: if i have privacy concerns, use that protocol. Slide 8 with picture (GRIDS): Are green arrows in charter ? Padma: KISP and HIP have a control plane, ILA does not. Those arrows (eg: into ILA) still need to be discussed. Not clear if that should be in scope. Fabio: other aspect is data plane, need to decide about scope. Dirk Kutsche: Today we have different services that all do identifier mappping (eg: to locator). Benefit in defining generic service, add privacy features, policy. In the internet stoday, we have a couple of ssystems, SIP, etc. decentralized, DNS. How much do i trust each of these. Do you see the risk that there could be some big universal system that can be abused. Bob Moskovicz: Definitely one of the use cases we want to consider. Can we start mapping those databases together or is to big ? Uma Chunduri: <...missed..> uma pls. fix Jari Arkko: Don't have comment about proposed work, other than generalizing locator/identity split. Some presenters said identities is a permanent thing. Would not like see situation where i have a situation where identifier changes i need to have an exchange with infrastructure, does violate privacy (did he say identifier or identifier in this context ?) BobM: yes, concerns, long time discussed. Brian Haberman: Identity has its own lifecycle, did not give a value for how long this means. Bob: non 802.1ar cert for lifetime. Brian: hum now if you think problem is well defined: 50% hum, hum now nfor not: 50% Dave Oran: Did people look at APIP and reject it because its not a locator/identifier split proocol. - Sigcomm paper. https://www.cs.cmu.edu/~dnaylor/APIP.pdf Padma: Can discuss... Dave: Thinks paper nails problem statement, read paper. Brian Haberman: YOur question was wheher design team has done literature review. Dave: Yes. Its fine if scope is to make identity work for identifier/locator split sollution, but there are problems for identity beyond that scope and people should be aware of it and position re. those problems ?! Brian: is there something to be done for IETF: 50%, 50% - Brian: thinks favor for more work to be done. Cullin Jennings: A lot of us think the work is undefined. YOu would have gotten a lot clearer distinction if you would have asked if work as defined in charter is clear - thinks it is not. Brian: WHo would actively participating: ca. 2..3 dozen hands raised. Chairs will sit down with Alvaro to discuss how to go f Oberman: Discussion whether this was more appropriate as a research working group. Would like to hear reasoning why this should be a working group. BobM: thinks he and Dino have slightly different ideas about what stds feature to be defined should be done. First round discussion should be exactly what infrastructure components to define/spec, aka: little undefined. Have not taken all of that to the mailing list yet. Tim: How would we resolve this if we where just a bunch of software hackers - just write a bunch of code. Bob: have anser to that question. Uma: Bits & Bytes tomorrow evening with prototype code for GRITS Tim: Thanks, encourage to go. Was on slides, forgot to mention. Georgios: Charter review ? Brian: Not worth it, first need discuss with AD. Meeting now officially over. Tim: Lot of questions asked here might have been discussed and thought about but that was not brought up to the list. Friendly suggestion to bring discussion to the list. Tim: Half of who read Use cases document ### Next Steps, 30 minutes * Enough Interest in a WG? ### Charter?