CURRENT_MEETING_REPORT_

Reported by Marcus Leech/Bell Northern Research

Minutes of the Authenticated Firewall Traversal Working Group (AFT)

The AFT Working Group held one session on Thursday, 8 December.


UDP

The issue of UDP fragmentation was discussed.  This issue has to do with
SOCKS protocol headers being prefixed to a UDP datagram, and the
resulting datagram being too large to fit whatever OS buffers are
allocated by the application.  One proposal was to have support in the
protocol and implementation for UDP-level fragmentation.  After some
discussion, it was concluded that this was not a protocol issue, but
rather an implementation one.  The implementation may detect the case
where the combination of SOCKS header and application data exceeds the
size of UDP buffer offered by the OS, and simply ask for more buffer
space on behalf of the application.

Perry Metzger pointed out that the UDP encapsulation is unnecessarily
bulky, with unnecessary replication of authentication information in the
header.  Perry will submit details to the mailing list about a proposal
to deal with this issue.


SOCKS V5

Several clarifications of the existing SOCKS V5 draft were discussed,
including typos in the description of the encryption payload.  It was
also pointed out that support for IP 'V5' addresses is meaningless and
should be dropped.

General consensus was reached that the authentication portion of the
protocol needs more review, and that specific emphasis should be put on
finding both near and long-term solutions.  A list of requirements for
such and authentication protocol was generated, with general agreement
that there be more discussion on the mailing list.

The following list of requirements was generated:


   o Authentication/privacy must be negotiable with regard to parameters
     and mechanisms.

   o There should be a baseline method that all conforming
     implementations must support.

   o Other mechanisms must be negotiable in place of the baseline
     mechanism, where other mechanisms exist.

   o The baseline method chosen must be deployable in the near-term, and
     so must use an existing or about-to-mature technology.

   o The mechanism(s) chosen must be secure.


There was general consensus that GSSAPI should be investigated as a
baseline mechanism, with support for the IPKM protocol, when it emerges.
Piers McMahon will post some details of GSSAPI, and its relevance to
SOCKS to the mailing list.

There was general consensus that there needs to be more
firewall-to-firewall scenario discussion in the Internet-Draft, and that
the issues that firewall-to-firewall raises should be discussed on the
mailing list.