IPSRA Minutes 3-28-00
Agenda was bashed
Charter review -- Sara Bitan
Pointed people to the charter
<http://www.ietf.org/html.charters/ipsra-charter.html>
Goals:
Address assignment and configuration
User authentication
Can't change IKE
Requirements -- Scott Kelly
Reviewed draft-ietf-ipsra-reqmts-00.txt
Terminology
Endpoint authentication
Question about how to distinguish between user and machine
certificate and whether it is important
Remote host device configuration features
Security policy configuration -- probably outside of WG charter
Mobility -- do we need this to be different than above?
Scenarios covered in the document
Commonalities in the scenarios
Framework/architecture document: Sara put out request for volunteers
Key exchange proposals
draft-bellovin-ipsra-getcert -- Steve Bellovin
Four sub-proposals
Approach: Use existing tools, such as SSL over HTTP
Client-side cert generation
Server-side key generation
Server-side key storage
Server-generated shared secrets
Issues
Questions about whether we want this to be a one-time cert
issuance
Wuestions about whether this is just an enrollment protocol
draft-ietf-ipsra-pic -- Yaron Sheffer
Overview
Terminology
One-way secure channel where the server is authenticated
After channel is up, use XAuth
Same types of credentials as Bellovin
First part isn't a type of IKE
draft-kelly-ipsra-userauth -- Scott Kelly
Create an IKE SA
Go into limited Phase 2, do auth exchange there
After auth, either refocus the Phase 2 or kill it
and start others
Config proposals
draft-ietf-ipsec-dhcp -- Bernard Aboba
Config requirements
Security requirements
DHCP packet body
DHCP options
Address pool selection
Walkthrough
Comparison with L2TP in Phase 2
draft-ietf-pppext-secure-ra -- Pyda Srisuresh
Using L2TP to do config
Enterprise trust model
Remote access server features
LNS as a NAS
SRAS extensions to LNS
RADIUS protocol extensions
Questions about whether this is a proper use of L2TP