------------------------------------------------------------------------------- CSI BoF Minutes THURSDAY, December 6, 2007 9:00 - 11:30 - Salon D/E ------------------------------------------------------------------------------- AGENDA 1. Agenda, Bluesheets, Note-takers and Jabber scribes 5 Mins 2. Work Motivation, proposed charter presentation Gabriel Montenegro & Marcelo Bagnulo 30 Mins 3. IPv6 Secure ND implementation report on Cisco IOS Eric Levy-Abegnoli 10 Mins 4. IPv6 Secure ND implementation report by DoCoMo Julien Laganier 5 Mins 5. Proxy-SeND Suresh Krishnan 10 Mins 6. DHCP, CGAs and SeND interaction Iljitsch van Beijnum 10 Mins 7. Discussion All 30 Mins ------------------------------------------------------------------------------- 1. Agenda, Bluesheets, Note-takers and Jabber scribes 5 Mins Scribes: Mikko Sarela and Suresh Krishnan ------------------------------------------------------------------------------- 2. Work Motivation, proposed charter presentation Marcelo presented send status SeND: limited deployment, considerable potential Widespread adoption soon expected A whole bunch of drafts in this area General areas of work: - Crypto agility for send (exists for cga) - Hash function analysis for SEND - SEND support for proxy ND - DHCP intergration for CGAs ------------------------------------------------------------------------------- 3. IPv6 Secure ND implementation report on Cisco IOS by Eric Levy-Abegnoli Very few implementation issues Ready for interop testing now Main issues =========== * How to allow non-CGA addresses for routers? * Issues with DoS attacks using SEND Timestamps Francis Dupont (FD) thinks the same attack exists against plain old ND * How to put in many nonces into multicast RAs in response to multiple RSs? * Provisional acceptance of certificates causes issues with repeated CRL checks * Possible conflicts with RFC4861 behavior ------------------------------------------------------------------------------- 4. IPv6 Secure ND implementation report by DoCoMo by Julien Laganier Completely implemented in user space Downloads steadily going down (total of 67) Require more people to try this and give feedback Will try to interop with Cisco IOS Francis Dupont thinks it is not possible to have a compliant implementation in userland. He wants to know if there are plans? Julien does not think so ELA explains about not adding entries into NC as an example Alex Petrescu discusses about software architectures (kernel vs user...) Jari Arkko (JA) would like to have more implementations (perhaps kernel+userland based) ------------------------------------------------------------------------------- 5. Proxy-SeND by Suresh Krishnan Problem with proxying and SEND, because SEND assumes that the address owner and the advertiser are always the same. Steps to solution: Separate address ownership and advertiser Add indication of proxying into SEND packet Provide mechanisms to establish trust between the proxy, proxied, and the receiver ------------------------------------------------------------------------------- 6. DHCP, CGAs and SeND interaction by Iljitsch van Beijnum Use to distribute Sec values across the network - is this network policy or host policy? IvB thinks the main use cases for using DHCP with CGA are * Offloading hashing for sec>0 * Address registration * Certificate provisioning Alex thinks that subnet allocation depends on the discussions in 6man and dhc wgs Ill wants to do an analysis in csi and go back to 6man and dhc with the results ELA mentions a proposal in dhc for sending send certs with DHCPv6-PD Jari thinks that that particular proposal has unresolved issues. Division of work: DHC wg Ð who ever wants to use DHCP for carrying new things, has to know its things and DHC will review options, etc. but don't drive the work. DHCP related things will be studied here, not in DHC wg. Jean-Michel Combes (JMC) thinks there are other proposals possible e.g using BU/BA. He wants a single location to discuss this JMC thinks that a proxy ND solution needs to address anycast addresses ------------------------------------------------------------------------------- 7. Discussion Alex wants to know about IPR Jari (with disclaimer working for IPR owner) The licenses are royaltee free for the base specs For extensions in this wg we need to deal with them on a case by case basis Christian Vogt thinks CGAs are a great tool to get security without infrastructure irrespective of IPR IvB and Alex wants clearer text for proxy SEND JMC wants to add anycast explicitly Marcelo is not sure a single solution is possible Alex talks about using SEND to protect DHAAD FD wants to know more about the CGA+DHCP item Marcelo thinks we need to analyse the problem space first and come up with possible work items. Jari agrees with Marcelo and thinks further work requires a recharter. Ralph explains that dhc extensions are done in outside wgs but he prefers early collaboration and review to avoid late surprises Fred wants to know if client can propose CGA IID to DHCP Ralph thinks there is no technical restriction to put prefix info into DHCP Gabe, Jari, and JMC want to include a specific point in the charter for certificate provisioning Khadra Ahmed wants to document the certificate management and define a certificate profile Marcelo thinks the first part (cert mgmt) will be covered by certificate provisioning item KA to write up some text and send it out Jari thinks that 3971 updates are needed based on the implementation proposals SK wants to know about other signature algorithms for SEND JMC wants to know about IKEv2 and CGA interaction Jari thinks this group should focus on ND and DHCP and IPv6 control signaling. More general applications need another BoF possibly in another area, but feel free to submit proposals in other areas FD wants to secure MLD Gabe has a proposal using CGAs for this but it is out of scope for this charter Judging consensus ================= Show of hands for support vs not support 50-0 Will actively participate and review 25 Have interest + time 10-15 people Happy with high level charter with agreed additions 20-0 Jari needs to discuss details further Elwyn Davies asks what to do if not eough people with time to cover all targets. Need to prioritize Jari thinks more implementations coming out soon. Need to do updates first. DHCP and proxy are low priority. Tony thinks the info dhcp document may be useful. Does not need to be short term. Jari thinks getting the protocol clarifications seems the most important thing. Because otherwise the implementations will do something funny. DHCP not so immediate. There are some people who may see value in doing the DHCP now. END OF MEETING