CURRENT_MEETING_REPORT_ Reported by Paul Lambert/Motorola Minutes of the Internet Protocol Security Protocol Working Group (IPSEC) The IP Security Working Group (IPSEC) met three times during the 31st IETF. The first meeting focused on the development of the IP Security Protocol (IPSP) specification. The next two sessions covered the development of the Internet Key Management Protocol (IKMP). IP Security Protocol (IPSP) The IPSP draft-in-progress was discussed with some debate on specific PDU format issues. Rough consensus was reached on the encapsulation techniques and formats. The baseline security transformations for IPSP will place the Next Protocol, PAD Length, and optional PAD fields at the end of the protected data. These formats will be documented and released late in December as a draft IPSP specification. Jim Hughes (NSC) gave a short presentation on an implementation of a network layer security device. This system used an ethertype field rather than an IP next protocol field and provided sequence integrity and packet compression. Internet Key Management Protocol (IKMP) Seven presentations were given (Monday and Wednesday) on specific key management approaches and proposals. o SESAME V3 o ``IEEE Standard 802.10C - Key Management'' IEEE 802.10C o ``Modular Key Management Protocol (MKMP)'' (draft-cheng-modular-ikmp-00.txt) o ``Simple Key-Management For Internet Protocols (SKIP)'' (draft-ietf-ipsec-aziz-skip-00.txt) o ``Photuris Key Management Protocol'' (draft-karn-photuris-00.txt) o ``Group Key Management Protocol (GKMP)'' (draft-harney-gkmp-spec-00.txt, draft-harney-gkmp-arch-00.txt) o ``Yet Another Key Management Proposal (YAKMP)'' http://www.network.com/external/news_releases/security.shtml A presentation on SESAME V3 was given by Piers McMahon (ICL Enterprises). SESAME V3 provides an approach for the interoperability of asymmetric and symmetric systems - in particular Kerberos and RSA. SESAME V3 KM protocol appears to have similar scope to the key management work in IEEE 802.10. This presentation was informational and no proposal was made to directly use SESAME V3 as IKMP. Russ Housley (Spyrus) gave a presentation on the IEEE 802.10C Key Management specification. The latest version of IEEE 802.10C is available on-line (FTP from atlas.arc.nasa.gov in two files /pub/sils/kmpd6.ps1 and kmpd6.ps2). IEEE 802.10C uses the ISO Generic Upper Layer Security (GULS) specification, the OSI Upper Layer Architecture, and the ACSE protocol. Concern was expressed about the complexity of the GULS specification, but this concern was counteracted when Russ indicated that the specification would be rewritten in Internet style if the IETF adopted IEEE 802.10c. IEEE 802.10c was the most complete specification presented at the meeting. It provides a generic framework for key management, but does not currently provide a worked example of the cryptographic processing. The Modular Key Management Protocol (MKMP) was presented by Amir Herzberg (IBM). MKMP has been documented as an Internet-Draft (draft-cheng-modular-ikmp-00.txt) as a specific proposal for IKMP. MKMP proposes a modular approach with an upper module in which a long-lived (``master'') key is exchanged between the communicating parties, and a lower module, in which the already shared (master) key is used for the derivation, sharing and/or refreshment of additional short-lived keys to be used for the cryptographic transformations applied to the data. Some of the techniques in this proposal are covered by IBM patents. IBM is working to grant ``royalty-free right'' to use of US Patent #5,148,479 ``if the IBM proposal is included in the final Internet Standard'' and ``parties who commit to grant IBM rights of similar scope under their patents that relate to the Internet Standard in question.'' Ashar Aziz (Sun Microsystems, Inc.) presented a ``Simple Key-Management For Internet Protocols'' (SKIP). SKIP is available as an Internet-Draft (draft-ietf-ipsec-aziz-skip-00.txt). SKIP was designed to solve a specific multicast scenario. The demonstration implementation of SKIP was running a video application. SKIP provides a means to create a key with a unique ``one-way'' key establishment. SKIP does not provide any attribute negotiation. A patent has been applied for by SUN on the SKIP mechanism, but SUN has taken a position that: ``The SKIP patents (when they issue) will be placed in the public domain. Anyone may use it if they wish, with no rights or dues pertaining to Sun. There will be no need to license SKIP patent rights.'' Phil Karn (Qualcomm) presented ``Photuris and IKMP Requirements.'' Photuris is is an experimental key management protocol intended for use with the IP Security Protocol (IPSP) in a point-to-point mode. Photuris combines Diffie-Hellman key exchange with RSA authentication to provide perfect forward secrecy and is also designed to thwart certain types of active denial of service attacks on host resources. Photuris exchanges a ``cookie'' before initiating public-key operations, thwarting the saboteur from flooding the recipient using random IP source addresses. Photuris also provides anonymity for the identities of the peer systems. The flooding prevention and anonymity requirements were well received by the working group. The ``Group Key Management Protocol'' (GKMP) was described by Carl Muckenhirn. GKMP is being submitted to the Working Group for consideration as a method of key management for multicast internet services and is documented in two Internet-Drafts (draft-harney-gkmp-spec-00.txt, draft-harney-gkmp-arch-00.txt). The GKMP architecture describes the management of cryptographic keys for multicast communications. GKMP provides the ability to create and distribute keys within arbitrary-sized groups without the intervention of a global/centralized key manager. The GKMP combines techniques developed for creation of pairwise keys with techniques used to distribute keys from a KDC (i.e., symmetric encryption of keys) to distribute symmetric key to a group of hosts. Jim Hughes (Network Systems Corporation) gave a presentation on ``Yet Another Key Management Proposal.'' The signaling used by NSC in their secure router product was described. The device uses RSA for authentication, Diffie-Hellman for key exchange, a number of symmetric ciphers, MD5 for data integrity and also provides data compression. NSC provided detailed descriptions of their design and stated that they intend to follow the recommendations and implement the results of the IPSEC Working Group: http://www.network.com/external/news_releases/security.shtml IKMP Discussion and Issues A group discussion on the various proposals focused on a matrix of comparison criteria. These criteria included: Published Internet-Draft, Key Exchange Independence, Worked Public Key Based Key Exchange, Public Key Methods, Symmetric Key Methods, Attribute Negotiations (for SA, and during which phase?), Application Protocol (not Built into IPSP), Multicast Support, Defeat Bogus Initiates, Hiding Certificates Exchanged (Encrypting), Working Code/Implementation, Security Management Protocol (versus just session key establishment), one-way exchange, perfect forward secrecy, RSAREF implementable, performance, and revocation. Evaluation of the proposal features will be discussed on the net by evaluating and ranking IKMP requirements. The work on IKMP will focus over the next period on the comparison and consolidation of the proposals.