CURRENT_MEETING_REPORT_ Reported by Marcus Leech/Bell Northern Research Minutes of the Authenticated Firewall Traversal Working Group (AFT) There were 87 people in attendance at this session -- about 20 more than in San Jose. The AFT Chair believes this indicates a trend in interest in firewalls in general, and in standard application-layer traversal protocols. Discussion There was some discussion of ICMP propagation towards the SOCKS client for unreachable servers. Since this specific case will be reflected in a failed SOCKS request, with explicit TCP-layer notification to the client, handling of ICMP was not felt necessary. More discussion will follow on the list. Additional discussion of allocation of method numbers by IANA and private concerns needs to be undertaken on the mailing list. It was felt that association lifetime should be explicitly under the control of the SOCKS client, and that a UDP associate request could contain an expected lifetime, or an idle-timeout value. A slight wording change is required so that the client closes the connection on termination of a UDP ASSOCIATE request, rather than the server. There was general consensus that UDP traversals should be afforded the same types of protection (``security transforms'') as TCP traversals, if the underlying security mechanism supports this. The current draft offers only integrity/authenticity for UDP, using a common mechanism that is largely independent of the underlying ``security transform.'' It was generally felt that the wording of MAC computation for UDP needed to be cleaned up. In light of the sentiment that UDP protection should be under control of the underlying security mechanism, the currently-described MAC protection for UDP can probably be scrapped. The language for UDP fragmentation needs to be cleaned up, and it needs to be made clear that such support is optional. The Internet-Draft submitted by Piers McMahon for a GSSAPI-based authentication method for socks was generally well-received. Slight editorial changes will be required to support full protection of UDP traversals. The Internet-Draft submitted by Marcus Leech for username/password authentication was generally well received, with no comment.