New BOF in Internet Area - ICOS

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



IP Configuration Security BOF (icos)

Thursday, March 10 at 0900-1130
===============================

CHAIRS: Bernard Aboba <aboba@internaut.com>
        Jari Arkko <jari.arkko@piuha.net>

AGENDA:

Pleminaries: (5 minutes)
- Minute Takers
- Bluesheets

IP Configuration Security Problem, Bernard Aboba (10 minutes)
http://www.drizzle.com/~aboba/IETF62/icos.ppt

Why do we care, TBD (10 minutes)

EAP and its Applicability, Bernard Aboba (15 minutes)
http://www.drizzle.com/~aboba/IETF62/icos.ppt
http://www.ietf.org/rfc/rfc3748.txt
http://www.ietf.org/internet-drafts/draft-ietf-eap-keying-04.txt

Overview of The MIPv6 Bootstrap Problem, James Kempf (15 minutes)
http://www.ietf.org/internet-drafts/draft-ietf-mipv6-bootstrap-ps-01.txt
http://www.ietf.org/internet-drafts/draft-giaretta-mip6-authorization-eap-02.txt
http://www.ietf.org/internet-drafts/draft-chakrabarti-mip6-bmip-00.txt
http://www.ietf.org/internet-drafts/draft-ietf-mipv6-ikev2-ipsec-00.txt
(more documents in the reading list)

Overview of DHCP Security, Mark Stapp/Ralph Droms (15 minutes)
http://www.ietf.org/rfc/rfc3118.txt
http://www.ietf.org/rfc/rfc3315.txt
http://www.ietf.org/internet-drafts/draft-ietf-dhc-v4-threat-analysis-03.txt
http://www.ietf.org/internet-drafts/draft-yegin-eap-boot-rfc3118-01.txt
http://bgp.potaroo.net/ietf/all-ids/draft-ietf-dhc-auth-sigzero-00.txt
http://www.drizzle.com/~aboba/IETF62/draft-stapp-dhc-eap-00.txt (To Be
Provided)

Overview of Secure Configuration in SEND, Jari Arkko (10 minutes)
http://www.ietf.org/internet-drafts/draft-ietf-send-cga-06.txt
http://www.ietf.org/internet-drafts/draft-ietf-send-ndopt-06.txt

NSIS Secure Configuration Issues, Hannes Tschofenig (5 mins)
http://www.tschofenig.com/drafts/draft-tschofenig-nsis-qos-ext-authz-00.txt

Overview of Other IP Layer Needs, TBD (5 min)
- Mobile IPv4
- PANA
- IKEv2

Discussion and Wrapup (25 minutes)here are also some papers available at the web page.

DESCRIPTION:

Internet layer configuration is defined as the configuration required to 
support the operation of the Internet layer.  This includes IP address 
configuration, default gateway(s), name server configuration, boot 
configuration (TFTP, NFS), service location and directory configuration, 
mobility configuration, and time server configuration (NTP).

Configuration is typically performed insecurely today.  For example, 
DHCP is rarely secured due to the need for keys to be set up between 
clients and servers. In other cases, such as in Mobile IPv6, tools for 
secure configuration exist and their use is required, but there are 
deployment barriers.

As a result, Internet Area working groups are exploring alternative 
solutions. These include use of EAP for use for key derivation, and 
configuration. For example, the DHC WG has considered employment of 
EAP-derived keys for use with DHCP security, as defined in RFC 3118 
and 3315.  The MIPv6 WG, in investigating the bootstrapping problem,
has considered proposals involving use of IKEv2 with EAP, as well as 
utilization of link layer EAP exchanges for configuration.

The SEND working group defined a certificate-based authorization for 
routers, where hosts prefer a router that has a certificate traceable 
to a trusted root configured for the host. SEND also defined zero
configuration mechanism for secure IP address configuration, based on 
Cryptographically Generated Addresses (CGAs).

This BOF will provide an overview of Internet layer secure configuration 
needs, discussing the architectural issues and potential solutions under 
discussion. The purpose of the BOF is to discuss a common topic that 
touches several existing Working Groups, and it is not expected that a 
new working group will be formed as a result.

Reading list:

[RFC3118] Droms, R. and W. Arbaugh, "Authentication for DHCP Messages",
          RFC 3118, June 2001.

[RFC3315] Droms, R., Ed., Bound, J., Volz,, B., Lemon, T., Perkins, C.
          and M. Carney, "Dynamic Host Configuration Protocol for IPv6
          (DHCPv6)", RFC 3315, July 2003.

[RFC3748] Aboba, B., Blunk, L., Vollbrecht, J., Carlson, J. and H.
          Lefkowetz, "Extensible Authentication Protocol (EAP)", RFC
          3748, June 2004.

[RFC3736] Droms, R., "Stateless Dynamic Host Configuration Protocol
          (DHCP) Service for IPv6", RFC 3736, April 2004.

[RFC3756] Nikander, P., Kempf, J. and E. Nordmark, "IPv6 Neighbor
          Discovery (ND) Trust Models and Threats", RFC 3756, May 2004.

[RFC3818] Schryver, V., "IANA Considerations for Point-to-Point
          Protocol", RFC 3818, June 2004.

[ANYCAST] Hagino, J., and K. Ettikan, "An Analysis of IPv6 Anycast",
          draft-ietf-ipngwg-ipv6-anycast-analysis-02.txt, Internet draft
          (work in progress), June 2003.

[DHCPv4Threat]
          Hibbs, R., Smith, C., Volz, B., Zohar, M., "Dynamic Host
          Configuration Protocol for IPv4 (DHCPv4) Threat Analysis",
          draft-ietf-dhc-v4-threat-analysis-02.txt, Internet draft (work
          in progress), April 2004.

[DHCPv6Threat]
          Prigent, N., Marchand, J., Dupont, F., Cousin, B., Laurent-
          Maknavicius, M. and J. Bournelle, "DHCPv6 Threats", draft-
          prigent-dhcpv6-threats-00.txt, March 2001.

[DNSConfv6]
          Jeong, J. (ed.), "IPv6 Host Configuration of DNS Server
          Information Approaches", draft-ietf-dnsop-ipv6-dns-
          configuration-04.txt, Internet draft (work in progress),
          September 2004.

[EAP3118] Yegin, A., Tschofenig, H. and D. Forsberg, "Bootstrapping RFC
          3118 Delayed DHCP AUthentication Using EAP-based Network
          Access Authentication", draft-yegin-eap-boot-rfc3118-00.txt,
          Internet draft (work in progress), February 2004.

[EAPIKE]  Tschofenig, H., Kroeselberg, D., Ohba, Y. and F. Bersani, "EAP
          IKEv2 Method (EAP-IKEv2)", draft-tschofenig-eap-ikev2-05.txt,
          Internet draft (work in progress), October 2004.

[IKEv2]   Kaufman, C., (ed.), "Internet Key Exchange (IKEv2) Protocol",
          draft-ietf-ipsec-ikev2-17.txt, Internet draft (work in
          progress), September 2004.

[IPCPMIPv6]
          Song, J., Chong, C. and D. Leigh, "MIPv6 IPCP configuration
          option for PPP IPv6CP", draft-song-pppext-mipv6-ppp-
          support-01.txt, Internet draft (work in progress), October
          2001.

[SEND]    Arkko, J., Kempf, J., Sommerfeld, B., Zill, B. and P.
          Nikander, "SEcure Neighbor Discovery (SEND)", draft-ietf-send-
          ndopt-06.txt, Internet draft (work in progress), January 2005.

[SEND-CGA]
          Aura, T., "Cryptographically Generated Addresses (CGA)",
          draft-ietf-send-cga-06.txt, Internet draft (work in progress),
          October 2004.

[MIPv6-EAP]
          Giaretta, G., Guardini, I., Demaria, E., Bournelle, J., and
          M. Laurent-Maknavicius, "MIPv6 Authorization and Configuration
          based on EAP", draft-giaretta-mip6-authorization-eap-02.txt,
          Internet draft (work in progress), October 2004.

[MIPv6-IKEv2]
          Devarapalli, V., "Mobile IPv6 Operation with IKEv2 and the
          revised IPsec Architecture", draft-ietf-mip6-ikev2-ipsec-00.txt,
          Internet draft (work in progress), October 2004.

_______________________________________________

IETF-Announce@ietf.org
https://www1.ietf.org/mailman/listinfo/ietf-announce

[Index of Archives]     [IETF]     [IETF Discussion]     [Linux Kernel]

  Powered by Linux