Minutes of the 2013-10-09 IAB Teleconference (Tech Chat & Business Meeting)
1. Roll-call, agenda-bash, administrivia
- Bernard Aboba
- Jari Arkko (IETF Chair)
- Marc Blanchet
- Ross Callon
- Alissa Cooper
- Mat Ford (ISOC Liaison)
- Joel Halpern
- Russ Housley (IAB Chair)
- Barry Leiba (IESG Liaison)
- Xing Li
- Cindy Morgan (IAB Executive Assistant)
- Erik Nordmark
- Andrew Sullivan
- Dave Thaler
- Hannes Tschofenig
- Mary Barnes (IAB Executive Director)
- Lars Eggert (IRTF Chair)
- Heather Flanagan (RFC Editor Liaison)
- Eliot Lear
- Alexey Melnikov (RSOC Chair)
- Stephen Farrell
- Sean Turner
Cindy Morgan reminded IAB members to make their hotel reservations for
IETF 88 as soon as possible, as the room block is filling up.
2. Tech Chat: IETF Response To Pervasive Monitoring
Stephen Farrell and Sean Turner joined the IAB to discuss the IETF response to pervasive monitoring. The slides Stephen presented during the tech chat can be found here: http://down.dsg.cs.tcd.ie/misc/ppiab/perpass-pressie.pdf
Stephen noted that recent revelations about the actions of the NSA and others are an attack on the network, and that it is an attack of a sort that we are likely to see more of in the future. Large-scale pervasive monitoring is not a threat model that had previously been considered when designing protocols. Stephen also pointed out that while purely technical responses to such threats will not fully counter such attacks, the technical work is still worth doing.
Stephen suggested that the IETF’s approach should be to make pervasive monitoring more expensive, while also improving security and privacy. Some of these changes may affect long-held positions, deployments, or business models and as such may take longer to be agreed upon and deployed.
Stephen noted that, with the attention currently being paid to the topic of pervasive monitoring in the media, there is energy to do the work; however, that energy will not last forever, so acting sooner rather than later would be better. He opined that the IETF could face credibility damage if it is seen as not acting on the situation. Stephen also noted that with the publicity surrounding the issue, the NSA has not just crossed a line–they have moved it.
Russ Housley asked if IETF should say something about designing protocols to make pervasive monitoring more difficult. Stephen replied that there is currently a -00 draft (draft-cooper-ietf-privacy-requirements) intended as a BCP that discusses this. Russ noted that such messaging is fine for the IETF community, but in order to make that message clear to those outside the IETF community (e.g., governments), less subtle approaches will need to be used. Saying that wide-scale pervasive monitoring is a bad thing is different from designing protocols to make it more difficult to do.
Stephen Farrell reported that some actions have already been taken or are in progress:
- The IETF has established the Perpass mailing list [https://www.ietf.org/mailman/listinfo/perpass] to discuss the privacy properties of IETF protocols and concrete ways in which those could be improved.
- The IAB has planned the IETF 88 Technical Plenary topic to be “Internet Hardening.”
- The IAB is planning a workshop on Internet Hardening prior to IETF 89 in London.
- draft-trammell-perpass-ppa (still in early stages) makes a start at describing the threat model for protocol designers.
Dave Thaler asked what process would be used to apply the threat analysis to actual work. Stephen Farrell replied that there was not yet an answer to that question, but that the first part is to get a description that is useful enough so that people can educate themselves. Sean Turner noted that if TLS is updated to mandate perfect forwarding secrecy, then much of this will likely fall away in the short term.
Russ Housley noted that people need to be made aware; it is clear that those working on security understand the problem, but beyond them, education is required.
The board discussed opportunistic encryption as the minimum requirement for protocols that include personal identifying information. Dave Thaler asked if that would also be true in scenarios where the same entity manages the endpoints and all the links in between, noting that it may be difficult for those outside the security community to accept. Stephen Farrell agreed that going from an insecure protocol to a secure version can have a huge administrative burden, and that knowing when it is practical to do so could be difficult. He noted that with all of the recent attention on the issue, it may be interesting to see if the consensus of the IETF community supports taking a harder line on security requirements. Jari Arkko noted that the IETF may not be able to mandate, but that it can show what is available to be used.
Stephen Farrell concluded his presentation, noting that this is a new scale of attack for the IETF, and that the technical work is not all that must be done. Jari Arkko noted that beyond the attack, the IETF should look at the overall impact of the security of the Internet; the issue is bigger than the current set of attacks.
The board agreed to post the backup materials from Stephen Farrell’s presentation to the public IAB wiki [http://trac.tools.ietf.org/group/iab/trac/] and send a link out to the IETF community in preparation for the Technical Plenary at IETF 88.
Hannes Tschofenig reminded the board that the IAB is planning a workshop on this topic prior to IETF 89. The current plan is to announce the workshop during the IETF 88 plenary, and then send the call for papers in mid-November.
3. Meeting Minutes
The minutes from the 25 September 2013 and 2 October 2013 business meetings were approved.
4. Timing of Liaison Reports to IAB
The IAB agreed to move the discussion of liaison reports to the IAB from the fourth Wednesday of the month to the second Wednesday of the month. Cindy Morgan will follow up with the liaison managers about the new schedule.
5. BOF Coverage at IETF 88
Cindy Morgan reported that the sessions that will run in parallel to BOFs at IETF 88 have been added to the internal wiki. She asked IAB members to review the conflicts and sign up for BOF coverage accordingly. The conflict list will be updated as the agenda changes.
6. IAB Statement on NIST SP 800-90 A
After a brief discussion, the board agreed that Russ Housley would start an e-vote on version 10 of the draft IAB Statement on NIST SP 800-90 A (Recommendation for Random Number Generation Using Deterministic Random Bit Generators).
7. Report from I* CEO Meeting in Montevideo
Russ Housley reported that the CEOs of ICANN, IANA, ISOC, IAB, IETF, W3C, and the 5 RIRs met in Montevideo. The main topic of discussion was moving to a state where the United States government does not have a special relationship with IANA, and where all of the stakeholders participate in IANA coordination on equal footing. The leaders attending this meeting released a press statement on the future of internet cooperation [http://www.iab.org/documents/correspondence-reports-documents/2013-2/montevideo-statement-on-the-future-of-internet-cooperation/] on 7 October 2013.
Russ Housley reported that discussions in Montevideo also included improving the internet experience for users who only have an IPv6 address (and no IPv4 address), and the upcoming ITU Plenipotentiary