IETF Munich IPsec Working Group Meeting Minutes


Moderator: Ted Ts'o <tytso@mit.edu>, WG Co-Chair
Scribe: Rodney Thayer <rodney@sabletech.com>

The WG met on Friday at the IETF meeting in Munich.
Approximately 120 people attended.  This was MBONE broadcast.

The Agenda was:

	* Agenda Bashing
	* Introduction
	* Active WG Documents
	* AH and ESP Review
	* DES MAC Presentation
	* ISAKMP Review
	* Architecture Review
	* Trust Path Topology Presentation
	* VPN Presentation
	* Secure DHCP Presentation
	* IPsec Followon Presentation


Active WG Documents
===================

Ted presented the list of documents, all 29 of them.  This
includes top-level, encryption, authentication, key management, 
and some obsolete Internet Drafts.  This does include some that
have received little feedback, such as the ISAKMP optimization
proposal, and the WG was encouraged to make sure people have
reviewed the documents.  It was pointed out that there are too
many drafts, and we should somehow cut down the number.  There
was a discussion about what can be advanced, the answer was that
some sort of consistent set of documents has to be advanced
together so that people can get context when they read them.

AH and ESP Review - Steve Kent
==============================

Steve Kent reviewed the AH and ESP documents.  These together
with the Architecture document and the (default, referenced) ESP
Cipher and Authentication drafts would make up the minimal set
that can be advanced.   There was a discussion of window size,
which has carried forward to the mailing list.  There was some
discussion about mutable fields being zero and not some
predicted value.  There was discussion about sequence number
roll-over if manually keyed (conclusion: ignore rollover)  There
was mention that the defaults are now DES/CBC, HMAC-MD5(?), and
64 packet replay window.

DES MAC Presentation - Sara Bitan
=================================

This was a proposal to use DES as a MAC algorithm -- do a
separate DES operation and use the last DES block (64 bits) as
the MAC value.  A draft has been written and submitted.  The
motivation is that you can get DES chips, Authentication
algorithms are slow and auth chips are hard to buy (a
consideration outside the US)

ISAKMP Review - Doug Maughan
============================

Doug Maughan presented the current ISAKMP (V8) draft.  There was
some discussion about field alignment and padding.

IPSec Architecture Review - Steve Kent
======================================

Steve Kent went over the current draft of the Architecture
doucment.  There was discussion about 'selectors' (an old
section in the document which has received little comment), IPv6
'Class', DOI vs. Architecture inconsistencies.  There was
discussion about whether ESP should be mandatory for IPv4.
A modest amount of Multicast discussion was volunteered to be
added to the document.

Topology Discovery - Sara Bitan
===============================

Sara Bitan presented a proposal for topology discovery using
secure paths among routers.

Virtual Private Networks - Naganand Doraswamy
=============================================

Naganand presented a proposal on VPN scenarios using IPsec, with
a proposal to add a "TX" DNS record type.  There was discussion
on whether ICMP could be used, or other schemes.

Secure DHCP - B. Patel
======================

B. Patel did a presentation on how to use DHCP in a secure
manner with Ipsec, based on a two stage procedure using two DHCP
servers, one untrusted and one trusted.

IPsec Followon - Steve Bellovin
===============================

Steve Bellovin presented his view of what has to happen next
with IPsec, dividing things into "critical path", "Useful", and
"Hard" items.  The only thing left on the critical path is a
MIB.  There was discussion that there needs to be more somewhere
about how applications can use IPsec.