IPSRA minutes

Note that the two main presentations are available on the WG web site at <http://www.vpnc.org/ietf-ipsra/>.

Agenda bashing
        Nothing additional topics were proposed

Charter reminder
        Repeated the three goals from the charter
        Meta-requirement: must not change IKE until IPsec WG is done with it (more than a year away, probably)
        We have current authentication proposals
                Legacy authentication -> short term certs
                        get-cert
                        PIC
        We have a current configuration proposal
                DHCP (now a submission to the IPsec WG)

IPSRA Requirements document
        Scott Kelly gave a detailed discussion of the draft.
        There were many changes between draft -00 and -01
                Deleted roaming/wireless users, and user-to-user connections from scenarios
        Mobility requirements were deleted
                Load balancing (multiple points of entry) vs. remote users changing their IP address
        Accounting requirements need to be flushed out
                Connection start & stop
                Incoming and outgoing octet counting
                Where does accounting happen
                Jeff Schiller said that accounting can be done better in another group.
                Jesse Walker pointed out that some accounting info disappears when it becomes encrypted.
        What is machine authentication? How is it different from user authentication?
                Marcus Leech said machine certs are out of scope. It doesn't matter who has the private key.
        Some scenarios deleted:
                Roaming users (it is the same as telecommuter)
                User-to-user (it is the same as regular IPsec)
        Added discussion of threats and mitigation to telecommuter scenario discussion
        Added statement about encouraging migration to stronger authentication systems to legacy compatibility section
        Open Issues:
                IRAC Policy config: not really in scope, but should be able to do it.
                Mobility requirement
                        Do we want to support single-sign-on?
                        Client having a dynamic IP address: can renegotiate SA
                        Multiple access points into the network; once
per session
        Protection of password on the laptop out of scope, says Marcus.
        Scott will do version -02 of the requirements document soon.
        Question from the floor: do we allow two-factor? General answer was yes, within the auth proposals, not outside.

Discussion of authentication proposals
        PIC:
                Yaron Sheffer said there had been internal talk between the authors on PIC. They will get us a new draft within a month.
        Getcert:
                Steve Bellovin said he had nothing new to say. We will hold a straw poll among the four parts of getcert on the mailing list soon, and Steve will flesh out the proposal for the one that wins. This will be done soon so the WG can decide.

DHCP Configuration of IPSEC Tunnel Mode
        Bernard Aboba gave a quick overview of the draft.
        The draft is fairly stable unless folks find problems. There haven't been any big changes since the last meeting.
        Meets the requirements for typical configuration using current DHCP.
        Can use DHCP authentication; this is not access control -- just to prevent attacks.
        There was a discussion of whether there should a different htype or option used just for VPN. This might help failover systems to re-allocate IP addresses from the pool.
        Users want consistency between gateway reboots, if possible

Other
        There was a question about whether the WG was trying to be NAT-friendly. The answer was: not in our charter.
        There was a brief discussion of the way forward, which will be to evaluate the two authentication proposals in the next few months. The configuration proposal can be finished separately, sooner.

--Paul Hoffman, Director
--VPN Consortium