CURRENT_MEETING_REPORT_



Reported by Ron Sharp/AT&T

CIPSO Minutes

Here are the Minutes for the Commercial Internet Protocol Security
Option Working Group meeting held in Atlanta, Georgia.  Most of these
Minutes were provided by Noel Nazario who recorded them and sent me an
electronic version.  Thanks again Noel.  The Working Group met for 1.5
days with the first half day being spent on new issues described below.
The second day we addressed and closed nearly all of the old issues.

Quick CIPSO Summary

Option type 134.  One option per packet.  Only sensitivity tags are
currently defined in the document.  The document provides a common
format and minimum configuration parameters required for
interoperability.  Interpretation of values within the option are
DOI-dependent (Domain of Interpretation).


Description of Open Issues


  1. Clarifications to the Spec
  2. Multiple DOI's
  3. Sort Categories
  4. Policy on unrecognized tags
  5. Exclusionary tag types
  6. Multiple sensitivity tags
  7. Minimum RFC Compliance
  8. Tag alignment
  9. Change exclusionary tag type number
 10. Error condition definition
 11. Configuration parameters
 12. New tag types
 13. Tags 128-255, Vendor/DOI defined
 14. Move security level out of tags
 15. Vendor tag types - router problem
 16. 8-bit security level and 2-bit errors
 17. Header space
 18. Should DOI  #3 be included in spec for testing
 19. Canonicalization of encodings
 20. Whether to allow category 0
 21. Routing based on nationality caveats


New issues

Mike St.  Johns proposed the following change to the CIPSO format:

                                   1






         8         8             16 bit
   |--------------------------------------------|
   |  Type    | Length  |        Level          |
   |--------------------------------------------|
   |                  DOI                      |
   |--------------------------------------------|
   |  Cat ID  |           Categories            |
   |--------------------------------------------|
   | (8 bits) |            (24 bits)            |
   |--------------------------------------------|
   |   255    |                                |  <-- Sys Hi
   |--------------------------------------------|



This format will effectively eliminate all tags.  Its basic merit is
that it is simpler for routers to handle.  The 16-bit security level is
to be encoded for certain Hamming distance and not open to definition of
2 to the 16th levels.  It would be easy for a router to implement.  No
flexibility in specifying different security policies.

It was voted 9:4 to continue the discussion of the other issues and
table this proposal and discuss it more electronically before the next
meeting.

Discuss and Close Issues


   o Issue 1:  Spec Clarifications

     Section 4, eliminate the non-security IP options from the document.
     This section will be replaced with a reference to the Internet
     Assigned Numbers Administration (IANA).

     Note that the length fields and tag numbers in the document should
     be reviewed and corrected.

     The requirement to transmit between DOI should be done by IP
     gateways and not by routers.  Pro:  11, Con:0

     Clarify the concept of classes of tags (i.e., sensitivity tags).
     Pro:  12, Con:  0.

   o Issue 3:  Sort Categories

     Categories enumerated in type-2 tags should appear in ascending
     order.  Pro:  12, Con:  0

   o Issue 5:  Exclusionary tag type change

     Eliminate the exclusionary flag from the enumerated tag in favor of

                                   2





  adding a new range tag type with lower and upper bounds.  Pro:  14,
  Con:  0

  Redesigning Tag Type 2

            8          8          8
       |----------------------------------------------------------|
       |   Type   |  Length  |   Level   |  Enumerated Categories |
       |----------------------------------------------------------|

       It was voted to eliminate the flags field from the Tag Type
       2 format.  Pro: 13, Con: 1

       Design Tag Type 5  (Range type)

            8      8      8     16   16
       |------------------------------------------------------|
       | Type= 5 | Len | Level | 1h | 1l |   |...|  | nh | nl |
       |------------------------------------------------------|
                                                          ^
                                                 Optional, 0
                                                  assumed if
                                                     missing


  nh is the range high value and nl is the range low value.  ranges
  are sorted high to low non-overlapping.

  The use of this format for the new Tag Type 5 was voted Pro:11,
  Con:  2.

o Issue 8:  Tag alignment

  Compliant implementations will support unaligned tags.  Pro:  12,
  Con:  0

o Issue 13:  Tag types 128-255:  Vendor/DOI assigned

  It was agreed that these tag types would be defined by the DOI and
  not the vendor.  For example, a vendor should not implement a new
  tag format with a hard coded type number >127 unless the
  implementation is solely for a particular DOI.

  The need of these tag types was questioned during the meeting.
  There was concern that allowing users to define their own label
  formats could lead to non-interoperability issues later.  It was
  decided to table the discussion until we had more time to look at
  the problem.

o Issue 2:  Multiple DOI's

  2a.  Implementations must support one DOI and may/should support

                                3





     more than one.  Pro:  13, Con:  0

     2b.  Recommend to administrators that a common DOI should be
     understood by all hosts on a subnetwork.  Pro:  12, Con 0

     2c.  For outgoing communications the DOI is selected based on
     either the network interface that will be used or by the address of
     the destination.  This insures that the DOI selected on outgoing
     packets is not just a host level default but can be configured
     based on either the network interface (i.e., network default DOI)
     or by the destination host address.  If it is on the destination
     host address then a DOI could be configured for the destination IP
     subnetwork or the host itself.  Pro:  8, Con:  0

   o Issue 18:  Reserve DOI number 3 for use in testing

     Not necessary to include in the RFC. DOI's are configurable.  Pro:
     12, Con:0

   o Issue 6:  Multiple sensitivity tags

     Only one sensitivity tag included in a CIPSO option.  Pro:  8, Con:
     2.

   o Issue 19:  Canonicalization

     Require a common deterministic algorithm in CIPSO implementations
     where each label can be represented by only 1 sensitivity tag type.


      -  Increases speed of equality check
      -  Possible algorithms
          * Ascending order of tag numbers (1 first then 2 .  .  .)
          * Minimize space (use tag that requires least bytes)
      -  Possible loss in speed due to time required for new algorithm
      -  Goes against concept of maximize what you will accept


     Tabled

   o Issue 4:  What to do on unrecognized tag types

     The behavior on unrecognized tag types should be configurable with
     the default being not to accept the packet.  Pro:  8, Con:  4.

     Make configuration optional, the default being to generate an error
     on unrecognized tags.  Pro:  10, Con:  1


Issues not discussed due to time constraints


                                   4





  1. Minimum RFC compliance

  2. Error conditions and responses.  Brian Yasaki and Debbie Futcher
     wrote up a section for error conditions.  A new copy will be sent
     out the mailing list and comments should be placed back on the
     mailing list.

  3. Configuration parameters.  Minimal configuration parameters
     required for each CIPSO host.  Some of these changed with the
     issues discussed and a new version will be put on the mailing list
     before the next meeting.



Conclusion

As you can see we made it through a lot of issues and closed most of
them.  This is great.  Part of the reason many were closed so quickly is
that we discussed them at the previous CIPSO IETF meeting but we agreed
to hold them open until this meeting.

A request was made for a new CIPSO IETF editor.  Mark Powers has been
doing a great job but due to job requirements he has not been able to
make many of the meetings.  Mark Christenson from Cray volunteered to do
the work.  I will make the appropriate changes to the document and
submit it to Internet-Drafts and then give the document to Mark.  Thanks
Mark.

The next meeting of the CIPSO IETF will be at the HP complex in
Cupertino, CA September 24th - 26th of this year.  It will be held in
conjunction with the TSIG meeting.  It will start around 9am on the 24th
and will have a morning wrap-up on the 26th ending around noon.  I will
send out more details as I get them.

If you have comments on any of the issues discussed please put these
comments out on this mailing list now.  Do not wait until the next
meeting.  If you have any new issues then again please bring them out
now.  New issues brought up at the next meeting will take a lower
priority to existing issues that have had a chance to be digested and
discussed on the mailing list.

Attendees

Richard Balcon           rbalcon@oracle.com
Tom Benkart              teb@saturn.acc.com
Nelson Bolyard           nelson@sqi.com
Doug Brown               cdbrown@sandia.gov
Mark Christenson         mgc@cray.com
Daylan Darby             daylan@ssc_bee.boeing.com
Deborah Futcher          dfutche@eco.twg.com
Amir Hudda               amir@sware.com
Barry Miracle            miracle@sctc.com
Noel Nazario             nazario@csdserv.ncsl.nist.gov

                                   5





Oscar Newkerk            newkerk@decwet.enet.dec.com
Jackie Proveaux          jackie@csd.harris.com
John Seligson            johns@ultra.com
Ron Sharp                rls@neptune.att.com
Rick Slade               ricks@csd.harris.com
Richard Smith            smiddy@pluto.dss.com
Frank Solensky           solensky@clearpoint.com
Michael St.  Johns       stjohns@umd5.umd.edu
Emil Sturniolo           emil@doe.dss.com
Bruce Taber              taber@interlan.com
Dean Throop              throop@dg-rtp.dg.com
Gerard White             ger@concord.com
Brian Yasaki             bky@eco.twg.com



                                   6