IETF Munich IPsec Working Group Meeting Minutes Moderator: Ted Ts'o , WG Co-Chair Scribe: Rodney Thayer The WG met on Friday at the IETF meeting in Munich. Approximately 120 people attended. This was MBONE broadcast. The Agenda was: * Agenda Bashing * Introduction * Active WG Documents * AH and ESP Review * DES MAC Presentation * ISAKMP Review * Architecture Review * Trust Path Topology Presentation * VPN Presentation * Secure DHCP Presentation * IPsec Followon Presentation Active WG Documents =================== Ted presented the list of documents, all 29 of them. This includes top-level, encryption, authentication, key management, and some obsolete Internet Drafts. This does include some that have received little feedback, such as the ISAKMP optimization proposal, and the WG was encouraged to make sure people have reviewed the documents. It was pointed out that there are too many drafts, and we should somehow cut down the number. There was a discussion about what can be advanced, the answer was that some sort of consistent set of documents has to be advanced together so that people can get context when they read them. AH and ESP Review - Steve Kent ============================== Steve Kent reviewed the AH and ESP documents. These together with the Architecture document and the (default, referenced) ESP Cipher and Authentication drafts would make up the minimal set that can be advanced. There was a discussion of window size, which has carried forward to the mailing list. There was some discussion about mutable fields being zero and not some predicted value. There was discussion about sequence number roll-over if manually keyed (conclusion: ignore rollover) There was mention that the defaults are now DES/CBC, HMAC-MD5(?), and 64 packet replay window. DES MAC Presentation - Sara Bitan ================================= This was a proposal to use DES as a MAC algorithm -- do a separate DES operation and use the last DES block (64 bits) as the MAC value. A draft has been written and submitted. The motivation is that you can get DES chips, Authentication algorithms are slow and auth chips are hard to buy (a consideration outside the US) ISAKMP Review - Doug Maughan ============================ Doug Maughan presented the current ISAKMP (V8) draft. There was some discussion about field alignment and padding. IPSec Architecture Review - Steve Kent ====================================== Steve Kent went over the current draft of the Architecture doucment. There was discussion about 'selectors' (an old section in the document which has received little comment), IPv6 'Class', DOI vs. Architecture inconsistencies. There was discussion about whether ESP should be mandatory for IPv4. A modest amount of Multicast discussion was volunteered to be added to the document. Topology Discovery - Sara Bitan =============================== Sara Bitan presented a proposal for topology discovery using secure paths among routers. Virtual Private Networks - Naganand Doraswamy ============================================= Naganand presented a proposal on VPN scenarios using IPsec, with a proposal to add a "TX" DNS record type. There was discussion on whether ICMP could be used, or other schemes. Secure DHCP - B. Patel ====================== B. Patel did a presentation on how to use DHCP in a secure manner with Ipsec, based on a two stage procedure using two DHCP servers, one untrusted and one trusted. IPsec Followon - Steve Bellovin =============================== Steve Bellovin presented his view of what has to happen next with IPsec, dividing things into "critical path", "Useful", and "Hard" items. The only thing left on the critical path is a MIB. There was discussion that there needs to be more somewhere about how applications can use IPsec.