Editor's Note: Minutes Received 7/23 CURRENT_MEETING_REPORT_ Reported by Ron Sharp/AT&T Minutes of the Commercial Internet Protocol Security Option Working Group (CIPSO) Due to other IETF meetings and additional TSIG plenary sessions the Working Group met for only six hours this meeting. The primary discussions involved the IETF/TSIG relationship and how to allow and encourage more participation from other IETF members. There was also much discussion concerning the Internet Draft entitled ``Son of IPSO'' that was submitted by Michael StJohns. The format for this meeting changed a little. Issues were presented and discussed, however there was no voting to determine the Group's consensus. It was felt by some new attendees that this led to the idea that all work and decisions was done at the meetings and if you could not attend the meetings then you were left out. That was not the intended purpose of voting, however, it must be admitted that the result may still be the same. We encourage anyone to participate either at the meetings or electronically. Ron Sharp has been trying to push people into using the electronic media more but it has been used only a little. When an issue does come up on the mailing list and is not resolved Ron includes it in the Agenda for the next meeting. Even if there is a consensus at the meeting the issue is still alive as long as someone is willing to discuss it in any forum. Ron will go over the issues discussed and the resolutions that were purposed. Please respond to the mailing list if you disagree with any of the proposals. If Ron hears no discussion he will make the appropriate change to the specification. Even then the issue is not dead and may be brought at a later time when some things may be clearer, though the sooner the better for everyone. Issue 1: Changes to CIPSO Version 2.2 There were several nit changes to the CIPSO specification for accuracy and readability. These changes will be marked in the next release of the CIPSO specification. The process for releasing the specification was also changed. As editor of the specification Ron will gather the comments from the meetings and the mailing list and will make the appropriate changes. He will first put the new specification out on the mailing list for comments. After two weeks or so, depending on the comments received, Ron will send a revised version to the Internet Drafts database. He hopes to have a new draft of CIPSO 2.2 out for comments soon that will include the last two meetings and discussions between the meetings. Issue 2: CIPSO MIBs Tabled. 1 Issue 3: Router Participation There were at least two router vendors at this meeting from cisco and 3com. It is hoped that more will be heard from them on the mailing list describing their needs and requirements. The cisco representative said that cisco is waiting for a decision to be made as to which is going to be the next IP label. She said they were about to go with CIPSO when SIPSO came out. We need to get to one specification, one label soon. Issue 4: Test Plan The next IETF CIPSO Working Group meeting will be in conjunction with TSIG in Minneapolis, Sept 22-24. At this meeting several vendors will bring their CIPSO implementation and test interoperability. Cray has graciously offered to host the meeting for the interoperability test. Aaron Schuman of SGI wrote a test plan to use. The plan was reviewed and several changes were made. The primary change was to use telnet as the application to test basic CIPSO functionality. Telnet was chosen since it was common to all implementations. Aaron will get a revised test plan out prior to the next meeting. Issue 5: CIPSO, BSO Translation Aaron presented a solution to allow a CIPSO gateway machine to translate BSO labels to CIPSO labels and CIPSO labels to BSO. The security level would mapped to the corresponding value for the other label. The BSO PAFs would map to CIPSO DOIs. Each combination of PAf flags would be a unique DOI. Mike suggested including this map directly in the CIPSO specification. Issue 6: BSO tag type Tabled. Issue 7: Future of CIPSO Working Group The Group decided to meet next time in conjunction with TSIG. A lot of electronic discussion is needed to resolve some of the remaining issues. The primary issues are described at the end of the Minutes. Steve Crocker agreed to work with us to resolve all issues between CIPSO and SIPSO prior to the next IETF meeting. The goal is to have a CIPSO specification that is acceptable to the IETF and the CIPSO vendors which incorporates the best of both specifications. Without a resolution soon, we will end up with three standards. IPSO will still be out there and included in new systems since there is no new unified label. CIPSO vendors will continue to ship CIPSO, but it will not be based on an IETF standard which they would prefer and SIPSO will be trying to get vendor participation. Issue 8: CIPSO Option Processing 2 MSJ felt that the description of option processing in the specification should be split out by end systems, intermediate systems, and routers. I will look at SIPSO and make appropriated changes to make the processing clearer. Overall it was a good meeting. The Group did not get many issues covered but there was more dialogue as to what is expected of CIPSO to finally get to Proposed Standard stage which is long overdue. Ron feels there are still four primary issues that must be addressed and resolved between the CIPSO vendors and a few other IETF members. These are listed below: o A. IPSO backward compatibility. MSJ feels that the first 4 bytes of CIPSO could look like IPSO and thus have interoperability. The PAFs would represent a unique DOI like discussed in issue 5 above. If we could truly get backward compatibility then we could more quickly move to one IP security option which is what everyone wants. There is the question of whether existing implementations like BLACKER can accept these new CIPSO options without modifications. If modifications are necessary than why not just move to a full CIPSO and get the added flexibility and interoperability a full CIPSO implementation offers. There is also concern that this would tie CIPSO to a particular security policy, that of the US DOD when the commercial market has show little interest in hierarchical labels. o B. Number of CIPSO tags supported in this RFC The current draft has three tags to allow for large category sets. MSJ questions whether 3 are necessary. o C. CIPSO currently allows for tag types above 127 to be defined by the DOI. This allows for support of new policies such as integrity and to hide classified formats and definitions. There is a concern that this could lead to interoperability. The Working Group has been working on this issue and the current draft includes words that state that implementations that support tags above 127 must be able to configure a DOI that does not require those tags. This will assure communication using standard well defined tags in the event of an emergency like the Gulf war. o D. Inclusion of application to TCP or UDP interface processing rules. It is felt that, while this is a good idea, it may belong in an RFC that describes a network level security option. SIPSO includes some of these rules, however they are included as suggestions. The above should cover the last meeting and where the Group is currently. If anything has been missed, please respond to the mailing list. Discussion of the four issues identified is needed. If anyone feels there are others than please include them. There are other issues such as options processing, however Ron has confidence that these can be 3 worked out. Thanks for attending the meeting and helping out. A special thanks to Aaron Schuman who presented two homework items AND recorded the minutes which were used to produce these minutes. Ok now lets hear some discussion on the remaining issues. Attendees George Abe 4247140@mcimail.com J. Allard jallard@microsoft.com Randall Atkinson atkinson@itd.nrl.navy.mil Suhas Badve badve@cup.hp.com Uri Blumenthal uri@watson.ibm.com C. Douglas Brown cdbrown@sandia.gov Robert Ching natadm!rching@uunet.uu.net Mark Christenson mgc@cray.com Frank Coviello John Ioannidis ji@cs.columbia.edu James Keller j.keller@sprint.com Paulina Knibbe knibbe@cisco.com Kent Malave kent@chang.austin.ibm.com Mary Christine O'Connor oconnor@interlan.com Charles Perkins perk@watson.ibm.com Paul Sangster sangster@ans.net Aaron Schuman schuman@sgi.com Ron Sharp rls@neptune.att.com Jeremy Siegel jzs@nsd.3com.com Richard Slade ricks@ssd.csd.harris.com Michael St. Johns stjohns@umd5.umd.edu Dean Throop throop@dg-rtp.dg.com James Watt jamesw@newbridge.com Luanne Waul luanne@wwtc.timeplex.com Peter Williams p.williams@uk.ac.ucl.cs 4