1 / 12

WG IETF 57: SEND IPsec and CGA Header Discussion

This agenda aims to discuss the draft status, implementation reports, open issues, and IPR related to the draft-ietf-send-ipsec. The discussion will cover topics such as using IPsec or ND options, integrating CGA with IPsec, and the architectural considerations. The meeting will conclude with a summary and the way forward for the working group.

hodgesr
Download Presentation

WG IETF 57: SEND IPsec and CGA Header Discussion

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. SEND WG IETF 57, Vienna Monday, July 14, 9:00 am

  2. Agenda bashing • Introduction and Agenda Bashing (5 min.) Chairs • Draft Status (10 min.) Chairs • Implementation Report (20 min.) Pekka, James • IPR discussion (10 min) all, with chairs moderating • Open issues in draft-ietf-send-ipsec (20 min) Jari • IPsec, IPsec w. CGA Header, or ND options? • ND options (10 min) Jari • IPsec w. CGA header (10 min) Pekka • technical discussion (40 min or until done), • all with James moderating • Summary and Way Forward (10 min). Chairs

  3. Draft status • draft-ietf-send-psreq-03.txt • Intended for Informational RFC • Submitted to IESG at the end of April • IESG review hasn’t started yet • draft-ietf-send-ipsec-01.txt • A number of open issues • Biggest issue: IPsec or ND options • draft-ietf-send-cga-00.txt • Fairly close to be completed • Some details still need discussion

  4. Implementation reports • Jon Wood implemented CGA and RSA transform on Linux • Pekka and Gonzalo Camarillo implemented CGA on FreeBSD/KAME • Only basic CGA handling • New option to ifconfig • Ability to generated CGA IIDs • CGA header handling to be added?

  5. Conclusions from Linux implementation work • A separate presentation

  6. Conclusion from FreeBSD implementation work • Directly mixing CGA and AH is a bad idea • CGA addresses need to be generated at the ND level anyway • Generating the first link local address • Generating addresses as prefixes are received • Outgoing IPsec SA would become cumbersome • Ugly extensions to PF_KEY • ifconfig works nicely for configuring CGA • PF_KEY would work nicely for pure PK AH

  7. IPR Discussion • Ericsson and Microsoft have claimed IPR on Cryptographically Generated Addresses • Ericsson released IPRs before IETF56 • Microsoft has released IPRs recently • No other IPR claims has been received

  8. Open issues • A separate presentation

  9. IPsec or ND options • Integrating CGA with IPsec got lots of objection • Jari Arkko and Tuomas Aura have proposed to move all functionality to ND options • Pekka Nikander has proposed to move CGA into a separate extension header • Mostly an architectural issue • Should IPsec include PK crypto at AH/ESP at all? • This is also the question wrt. source address based SA selection, since PK is source bound • Is in-line KMP allowed? (IPsec WG rejected SKIP) • Should IPsec be used to protect IP layer signalling at all? • But first some discussion rules and goals

  10. Rules for discussion • Two microphones • First one for primary comments • Second one for followups • 3 minutes for each initial comment • After that the commentator must move to the followup microphone • Once the discussion is completed, we will perform a concensus call • The concensus call options are on the next slide

  11. Concensus call questions • Question 1: If SEND was based on IPsec AH, should we use • a) a large AH header carrying the key (draft-ietf-send-ipsec-01.txt), or • b) separate CGA and AH headers (draft-nikander-send-ipsec-00.txt) • Question 2: Should SEND be designed on • a) IPsec AH, using a) or b) from above • b) ND options (draft-arkko-send-ndopt-00.txt)

  12. Summary and Way Forward • Continue with ND options • Try to get the next version of the draft out before the beginning of September • Probably need to work on certificate issues even after that • Need to change the charter • Write down the lesson learned about trying to use AH

More Related