Better-Than-Nothing Security BOF (btns) Monday, March 7 at 1300-1500 ============================ CHAIR: Sam Weiler AGENDA: (1) Agenda bashing (5 minutes) (2) Review of BTNS goals (15 mins) (3) Charter bashing (20 mins) (4) Milestones bashing (20 mins) Mailing List info. and preliminary Internet Drafts: http://www.postel.org/anonsec DESCRIPTION: Current Internet Protocol security protocol (IPsec) and Internet Key Exchange protocol (IKE) present somewhat of an all-or-nothing alternative; these protocols provide protection from a wide array of possible threats, but are sometimes not deployed because of the need for cumbersome management key infrastructure or complex configuration. This working group will develop extensions to existing IPsec and IKE protocols to support relaxed variants that reduce their need for pre-shared keys and/or key management infrastructure. These relaxed variants provide weaker security guarantees than their conventional counterparts, but should be sufficient for use in limited environments, e.g., to protect against off-path attacks but not man-in-the-middle, or to protect connections without regard for authoritative identification of communicating parties. The goal of these relaxed variants is to enable and encourage the use of network security where it has been difficult to deploy - notably, to enable simpler, more rapid deployment. The IPsec and IKE extensions will be developed in a manner consistent with use with channel binding. This work should not preclude the binding of security thus provided with security at other layers. The WG has the following specific goals over three IETF meetings: a) develop a framework document to describe the motivation and goals of these infrastructure-free variants of security protocols in general, and IPsec and IKE in specific b) develop an applicability statement, characterizing a reasonable set of threat models with relaxed assumptions suitable for infrastructure-free use, and describing the limits and conditions of appropriate use of infrastructure-free variants b) develop IPsec and IKE extensions and/or configurations that provide the desired infrastructure-free use