CURRENT_MEETING_REPORT_

Reported by Paul Lambert/Motorola

Minutes of the Internet Protocol Security Protocol Working Group (IPSEC)

The IP Security Working Group (IPSEC) met three times during the 31st
IETF. The first meeting focused on the development of the IP Security
Protocol (IPSP) specification.  The next two sessions covered the
development of the Internet Key Management Protocol (IKMP).


IP Security Protocol (IPSP)

The IPSP draft-in-progress was discussed with some debate on specific
PDU format issues.  Rough consensus was reached on the encapsulation
techniques and formats.  The baseline security transformations for IPSP
will place the Next Protocol, PAD Length, and optional PAD fields at the
end of the protected data.  These formats will be documented and
released late in December as a draft IPSP specification.

Jim Hughes (NSC) gave a short presentation on an implementation of a
network layer security device.  This system used an ethertype field
rather than an IP next protocol field and provided sequence integrity
and packet compression.


Internet Key Management Protocol (IKMP)

Seven presentations were given (Monday and Wednesday) on specific key
management approaches and proposals.


   o SESAME V3

   o ``IEEE Standard 802.10C - Key Management''
     IEEE 802.10C

   o ``Modular Key Management Protocol (MKMP)''
     (draft-cheng-modular-ikmp-00.txt)

   o ``Simple Key-Management For Internet Protocols (SKIP)''
     (draft-ietf-ipsec-aziz-skip-00.txt)

   o ``Photuris Key Management Protocol''
     (draft-karn-photuris-00.txt)

   o ``Group Key Management Protocol (GKMP)''
     (draft-harney-gkmp-spec-00.txt, draft-harney-gkmp-arch-00.txt)

   o ``Yet Another Key Management Proposal (YAKMP)''
     http://www.network.com/external/news_releases/security.shtml


A presentation on SESAME V3 was given by Piers McMahon (ICL
Enterprises).  SESAME V3 provides an approach for the interoperability
of asymmetric and symmetric systems - in particular Kerberos and RSA.
SESAME V3 KM protocol appears to have similar scope to the key
management work in IEEE 802.10.  This presentation was informational and
no proposal was made to directly use SESAME V3 as IKMP.

Russ Housley (Spyrus) gave a presentation on the IEEE 802.10C Key
Management specification.  The latest version of IEEE 802.10C is
available on-line (FTP from atlas.arc.nasa.gov in two files
/pub/sils/kmpd6.ps1 and kmpd6.ps2).  IEEE 802.10C uses the ISO Generic
Upper Layer Security (GULS) specification, the OSI Upper Layer
Architecture, and the ACSE protocol.  Concern was expressed about the
complexity of the GULS specification, but this concern was counteracted
when Russ indicated that the specification would be rewritten in
Internet style if the IETF adopted IEEE 802.10c.  IEEE 802.10c was the
most complete specification presented at the meeting.  It provides a
generic framework for key management, but does not currently provide a
worked example of the cryptographic processing.

The Modular Key Management Protocol (MKMP) was presented by Amir
Herzberg (IBM). MKMP has been documented as an Internet-Draft
(draft-cheng-modular-ikmp-00.txt) as a specific proposal for IKMP. MKMP
proposes a modular approach with an upper module in which a long-lived
(``master'') key is exchanged between the communicating parties, and a
lower module, in which the already shared (master) key is used for the
derivation, sharing and/or refreshment of additional short-lived keys to
be used for the cryptographic transformations applied to the data.  Some
of the techniques in this proposal are covered by IBM patents.  IBM is
working to grant ``royalty-free right'' to use of US Patent #5,148,479
``if the IBM proposal is included in the final Internet Standard'' and
``parties who commit to grant IBM rights of similar scope under their
patents that relate to the Internet Standard in question.''

Ashar Aziz (Sun Microsystems, Inc.)  presented a ``Simple Key-Management
For Internet Protocols'' (SKIP). SKIP is available as an Internet-Draft
(draft-ietf-ipsec-aziz-skip-00.txt).  SKIP was designed to solve a
specific multicast scenario.  The demonstration implementation of SKIP
was running a video application.  SKIP provides a means to create a key
with a unique ``one-way'' key establishment.  SKIP does not provide any
attribute negotiation.  A patent has been applied for by SUN on the SKIP
mechanism, but SUN has taken a position that:  ``The SKIP patents (when
they issue) will be placed in the public domain.  Anyone may use it if
they wish, with no rights or dues pertaining to Sun.  There will be no
need to license SKIP patent rights.''

Phil Karn (Qualcomm) presented ``Photuris and IKMP Requirements.''
Photuris is is an experimental key management protocol intended for use
with the IP Security Protocol (IPSP) in a point-to-point mode.  Photuris
combines Diffie-Hellman key exchange with RSA authentication to provide
perfect forward secrecy and is also designed to thwart certain types of
active denial of service attacks on host resources.  Photuris exchanges
a ``cookie'' before initiating public-key operations, thwarting the
saboteur from flooding the recipient using random IP source addresses.
Photuris also provides anonymity for the identities of the peer systems.
The flooding prevention and anonymity requirements were well received by
the working group.

The ``Group Key Management Protocol'' (GKMP) was described by Carl
Muckenhirn.  GKMP is being submitted to the Working Group for
consideration as a method of key management for multicast internet
services and is documented in two Internet-Drafts
(draft-harney-gkmp-spec-00.txt, draft-harney-gkmp-arch-00.txt).  The
GKMP architecture describes the management of cryptographic keys for
multicast communications.  GKMP provides the ability to create and
distribute keys within arbitrary-sized groups without the intervention
of a global/centralized key manager.  The GKMP combines techniques
developed for creation of pairwise keys with techniques used to
distribute keys from a KDC (i.e., symmetric encryption of keys) to
distribute symmetric key to a group of hosts.

Jim Hughes (Network Systems Corporation) gave a presentation on ``Yet
Another Key Management Proposal.''  The signaling used by NSC in their
secure router product was described.  The device uses RSA for
authentication, Diffie-Hellman for key exchange, a number of symmetric
ciphers, MD5 for data integrity and also provides data compression.  NSC
provided detailed descriptions of their design and stated that they
intend to follow the recommendations and implement the results of the
IPSEC Working Group:


     http://www.network.com/external/news_releases/security.shtml


IKMP Discussion and Issues

A group discussion on the various proposals focused on a matrix of
comparison criteria.  These criteria included:  Published
Internet-Draft, Key Exchange Independence, Worked Public Key Based Key
Exchange, Public Key Methods, Symmetric Key Methods, Attribute
Negotiations (for SA, and during which phase?), Application Protocol
(not Built into IPSP), Multicast Support, Defeat Bogus Initiates, Hiding
Certificates Exchanged (Encrypting), Working Code/Implementation,
Security Management Protocol (versus just session key establishment),
one-way exchange, perfect forward secrecy, RSAREF implementable,
performance, and revocation.

Evaluation of the proposal features will be discussed on the net by
evaluating and ranking IKMP requirements.  The work on IKMP will focus
over the next period on the comparison and consolidation of the
proposals.