* WGs marked with an * asterisk has had at least one new draft made available during the last 5 days

Opsec Status Pages

Operational Security Capabilities for IP Network Infrastructure (Active WG)
Ops Area: Benoit Claise, Warren Kumari | 2004-Oct-14 —  
Chairs
 
 


IETF-100 opsec minutes

Session 2017-11-13 1550-1720: Olivia - Audio stream - opsec chatroom

Minutes

minutes-100-opsec-00 minutes



          IETF 100 - OPSEC Agenda
          
              Monday, November 13th, 2017
              15:50-17:20 Afternoon Session II
              Room: Olivia
              Chairs: Eric Vyncke,  Gunther Van de Velde
          
          
              1. WG Status Update (Eric Vyncke)
          
              RFCs:
                  None
          
              WG Drafts:
                  draft-ietf-opsec-ipv6-eh-filtering
                          WGLC call in September   in September
                          Needs more work
                  draft-ietf-opsec-v6
                          WGLC in April
                          Needs more work
          
              Individual Contributions:
                  Draft-sriram-opsec-urpf-improvements
                  Draft-gont-opsec-icmp-ingress filtering
          
          
              2. draft-ietf-opsec-ipv6-eh-filtering, Recommendations on the
              Filtering of IPv6 Packets Containing IPv6 Extension Headers. (F.Gont)
          
              Ron Bonica - We should be explicit about which transit router this
              document is addressing. One inside an ISP or one at the edge of an
              enterprise. Also, at the last NANOG, there was a large conversation
              about fragmentation headers. We want to see how that conversation
              lands before we publish this document.
          
              Bob Hinden - This also needs review or maybe a last call
              in 6man.  Also, I don't see much value in talking about current
              implementations. The document should talk about what we should do. It
              isn't ready to publish.
          
              Eric Kline - Given that we have these blacklists, how do we ever ship
              a new option. Does the document allow experimental headers to pass.
          
              Fernando Gont - We do whatever 7045 says. We permit experimental
              and unknown headers. We only blacklist a few, well known EH's
          
              Brian Carpenter - Scope the document even more narrowly than Ron
              suggests. Talk about specific classes of transit router. Also,
              don't use the word "Intermediate System" in the document. This is
              a term or art in IPv6. Use the term "transit router".
          
              Lee Howard - The document says that packets with unknown IPv6 EHs
              (i.e., not in the IANA registry) should be dropped. This means that
              Erik's objection is very real
          
              Fernando - disputes the point.
          
              3. draft-ietf-opsec-v6, Operational Security Considerations for IPv6
              Networks. (Eric Vyncke)
          
              Merike - We still care about the document, but we don't have the time
              or energy to keep up with the comments. Do we want an issue tracker?
          
              Gunter - Ask the question on the list
          
              Eliot Leer - In the section on ULAs, you miss a use case. This is
              where the network has no connectivity to the Internet
          
              Brian Carpenter - This document also needs to be reviewed and last
              called in 6man and v6ops. There are also a few problems in the ULA
              section. There is a document in 6man on ULA
          
              Ron Bonica - And there is another document on ULA in v6ops.
          
              4. draft-ietf-opsawg-mud, Manufacturer Usage Description
              Specification. (Eliot Lear)
          
              Ron Bonica - I support the idea. One question: The draft assumes
              some minimal filtering capabilities on the part of the controlled
              device. What are those? What happens when the device can't filter
              to the required specificity?
          
              Eliot - We use a constrained version of the IETF ACL model.
          
              Fernando Gont - Why did you decide to pull the policy from the vendor,
              as opposed to the device.
          
              Eliot - Because the device may not have room to store the policy
          
              Fernando - what happens if the vendor turns evil or gets hacked
          
              Eliot - the device is more vulnerable than the vendor's web server
          
              Doug Montgomery - I think it's good work. How do you make this
              scale. What happens if I have a million light bulbs from a million
              vendors. Do I have a million ACLs? Maybe you could bind a MAC prefix
              to a device type
          
              Eric Kline - Good work? Who pulls the ACL for the devices? What
              happens if the device is hacked? Or if the device changes CERTs.
          
              5. draft-fairhurst-tsvwg-transport-encrypt-03, The Impact of Transport
              Header Encryption on Operation and Evolution of the Internet.
              (Gorry Fairhurst )
          
              Nilini Elkins - This is great. We would like to look at the transport
              header, and even inside.
          
              ??Andreason?? - This is great work. Let's progress it.
          
              Chris Morrow - This is interesting. Lots of the problems you are
              talking about are tooling problems. Maybe the tooling needs to
              change? This is a better solution that not encrypting.
          
              Warren Kumari - Good work. Please take a look at a similar draft
              called "The Effects of Pervasive Encryption on Operators". It has
              had one very entertaining last call and will have another LC.
          
              Igor Gashinski - I am confused about the purpose of this draft. We
              are encrypting more so we can't see as much. Wasn't that the intent?
          
              Gory - I want to understand what would be  lost if we encrypted
              everything and then make a conscious decision about what to encrypt
          
              6. draft-kuehlewind-taps-crypto-sep, Separating Crypto Negotiation
              and Communication.  (Chris Wood)
          
              - No questions
          
              7. draft-baba-iot-problems, Problems in and among industries for
              the prompt realization of IoT and safety considerations.(Hiroyuki
              BABA and Yoshiki ISHIDA)
          
              - No questions
          
              8. draft-sriram-opsec-urpf-improvements, Enhanced Feasible-Path
              Unicast Reverse Path Filtering. (Kotikalapudi Sriram )
          
              - No questions
          
          



Generated from PyHt script /wg/opsec/minutes.pyht Latest update: 24 Oct 2012 16:51 GMT -