SEND WG IETF 57, Vienna Monday, July 14, 9:00 am

Agenda bashing Introduction and Agenda Bashing (5 min.) Chairs Draft Status (10 min.) Chairs Implementation Report (20 min.) Pekka, James IPR discussion (10 min) all, with chairs moderating Open issues in draft-ietf-send-ipsec (20 min) Jari IPsec, IPsec w. CGA Header, or ND options? –ND options (10 min) Jari –IPsec w. CGA header (10 min) Pekka –technical discussion (40 min or until done), all with James moderating Summary and Way Forward (10 min). Chairs

Draft status draft-ietf-send-psreq-03.txt –Intended for Informational RFC –Submitted to IESG at the end of April –IESG review hasn’t started yet draft-ietf-send-ipsec-01.txt –A number of open issues –Biggest issue: IPsec or ND options draft-ietf-send-cga-00.txt –Fairly close to be completed –Some details still need discussion

Implementation reports Jon Wood implemented CGA and RSA transform on Linux Pekka and Gonzalo Camarillo implemented CGA on FreeBSD/KAME –Only basic CGA handling New option to ifconfig Ability to generated CGA IIDs CGA header handling to be added?

Conclusions from Linux implementation work A separate presentation

Conclusion from FreeBSD implementation work Directly mixing CGA and AH is a bad idea –CGA addresses need to be generated at the ND level anyway Generating the first link local address Generating addresses as prefixes are received –Outgoing IPsec SA would become cumbersome Ugly extensions to PF_KEY ifconfig works nicely for configuring CGA PF_KEY would work nicely for pure PK AH

IPR Discussion Ericsson and Microsoft have claimed IPR on Cryptographically Generated Addresses Ericsson released IPRs before IETF56 Microsoft has released IPRs recently No other IPR claims has been received

Open issues A separate presentation

IPsec or ND options Integrating CGA with IPsec got lots of objection Jari Arkko and Tuomas Aura have proposed to move all functionality to ND options Pekka Nikander has proposed to move CGA into a separate extension header Mostly an architectural issue –Should IPsec include PK crypto at AH/ESP at all? This is also the question wrt. source address based SA selection, since PK is source bound –Is in-line KMP allowed? (IPsec WG rejected SKIP) –Should IPsec be used to protect IP layer signalling at all? But first some discussion rules and goals

Rules for discussion Two microphones –First one for primary comments –Second one for followups 3 minutes for each initial comment –After that the commentator must move to the followup microphone Once the discussion is completed, we will perform a concensus call –The concensus call options are on the next slide

Concensus call questions Question 1: If SEND was based on IPsec AH, should we use –a) a large AH header carrying the key (draft-ietf-send-ipsec-01.txt), or –b) separate CGA and AH headers (draft-nikander-send-ipsec-00.txt) Question 2: Should SEND be designed on –a) IPsec AH, using a) or b) from above –b) ND options (draft-arkko-send-ndopt-00.txt)

Summary and Way Forward Continue with ND options Try to get the next version of the draft out before the beginning of September –Probably need to work on certificate issues even after that Need to change the charter Write down the lesson learned about trying to use AH