IPSRA minutes Note that the two main presentations are available on the WG web site at . Agenda bashing Nothing additional topics were proposed Charter reminder Repeated the three goals from the charter Meta-requirement: must not change IKE until IPsec WG is done with it (more than a year away, probably) We have current authentication proposals Legacy authentication -> short term certs get-cert PIC We have a current configuration proposal DHCP (now a submission to the IPsec WG) IPSRA Requirements document Scott Kelly gave a detailed discussion of the draft. There were many changes between draft -00 and -01 Deleted roaming/wireless users, and user-to-user connections from scenarios Mobility requirements were deleted Load balancing (multiple points of entry) vs. remote users changing their IP address Accounting requirements need to be flushed out Connection start & stop Incoming and outgoing octet counting Where does accounting happen Jeff Schiller said that accounting can be done better in another group. Jesse Walker pointed out that some accounting info disappears when it becomes encrypted. What is machine authentication? How is it different from user authentication? Marcus Leech said machine certs are out of scope. It doesn't matter who has the private key. Some scenarios deleted: Roaming users (it is the same as telecommuter) User-to-user (it is the same as regular IPsec) Added discussion of threats and mitigation to telecommuter scenario discussion Added statement about encouraging migration to stronger authentication systems to legacy compatibility section Open Issues: IRAC Policy config: not really in scope, but should be able to do it. Mobility requirement Do we want to support single-sign-on? Client having a dynamic IP address: can renegotiate SA Multiple access points into the network; once per session Protection of password on the laptop out of scope, says Marcus. Scott will do version -02 of the requirements document soon. Question from the floor: do we allow two-factor? General answer was yes, within the auth proposals, not outside. Discussion of authentication proposals PIC: Yaron Sheffer said there had been internal talk between the authors on PIC. They will get us a new draft within a month. Getcert: Steve Bellovin said he had nothing new to say. We will hold a straw poll among the four parts of getcert on the mailing list soon, and Steve will flesh out the proposal for the one that wins. This will be done soon so the WG can decide. DHCP Configuration of IPSEC Tunnel Mode Bernard Aboba gave a quick overview of the draft. The draft is fairly stable unless folks find problems. There haven't been any big changes since the last meeting. Meets the requirements for typical configuration using current DHCP. Can use DHCP authentication; this is not access control -- just to prevent attacks. There was a discussion of whether there should a different htype or option used just for VPN. This might help failover systems to re-allocate IP addresses from the pool. Users want consistency between gateway reboots, if possible Other There was a question about whether the WG was trying to be NAT-friendly. The answer was: not in our charter. There was a brief discussion of the way forward, which will be to evaluate the two authentication proposals in the next few months. The configuration proposal can be finished separately, sooner. --Paul Hoffman, Director --VPN Consortium