IPSRA Minutes 3-28-00 Agenda was bashed Charter review -- Sara Bitan Pointed people to the charter Goals: Address assignment and configuration User authentication Can't change IKE Requirements -- Scott Kelly Reviewed draft-ietf-ipsra-reqmts-00.txt Terminology Endpoint authentication Question about how to distinguish between user and machine certificate and whether it is important Remote host device configuration features Security policy configuration -- probably outside of WG charter Mobility -- do we need this to be different than above? Scenarios covered in the document Commonalities in the scenarios Framework/architecture document: Sara put out request for volunteers Key exchange proposals draft-bellovin-ipsra-getcert -- Steve Bellovin Four sub-proposals Approach: Use existing tools, such as SSL over HTTP Client-side cert generation Server-side key generation Server-side key storage Server-generated shared secrets Issues Questions about whether we want this to be a one-time cert issuance Wuestions about whether this is just an enrollment protocol draft-ietf-ipsra-pic -- Yaron Sheffer Overview Terminology One-way secure channel where the server is authenticated After channel is up, use XAuth Same types of credentials as Bellovin First part isn't a type of IKE draft-kelly-ipsra-userauth -- Scott Kelly Create an IKE SA Go into limited Phase 2, do auth exchange there After auth, either refocus the Phase 2 or kill it and start others Config proposals draft-ietf-ipsec-dhcp -- Bernard Aboba Config requirements Security requirements DHCP packet body DHCP options Address pool selection Walkthrough Comparison with L2TP in Phase 2 draft-ietf-pppext-secure-ra -- Pyda Srisuresh Using L2TP to do config Enterprise trust model Remote access server features LNS as a NAS SRAS extensions to LNS RADIUS protocol extensions Questions about whether this is a proper use of L2TP