Thread Links Date Links
Thread Prev Thread Next Thread Index Date Prev Date Next Date Index

[802SEC] FW: [New-work] New BOF in Internet Area - ICOS

The following new-work announcement in the IETF may be of interest to
members of your working groups.  Please forward to your individual
working groups if appropriate.


-----Original Message-----
From: [] On
Behalf Of
Sent: Thursday, March 03, 2005 11:43 PM
Subject: [New-work] New BOF in Internet Area - ICOS

IP Configuration Security BOF (icos)

Thursday, March 10 at 0900-1130

CHAIRS: Bernard Aboba <>
        Jari Arkko <>


Pleminaries: (5 minutes)
- Minute Takers
- Bluesheets

IP Configuration Security Problem, Bernard Aboba (10 minutes)

Why do we care, TBD (10 minutes)

EAP and its Applicability, Bernard Aboba (15 minutes)

Overview of The MIPv6 Bootstrap Problem, James Kempf (15 minutes)
(more documents in the reading list)

Overview of DHCP Security, Mark Stapp/Ralph Droms (15 minutes)
.txt (To Be

Overview of Secure Configuration in SEND, Jari Arkko (10 minutes)

NSIS Secure Configuration Issues, Hannes Tschofenig (5 mins)

Overview of Other IP Layer Needs, TBD (5 min)
- Mobile IPv4
- IKEv2

Discussion and Wrapup (25 minutes)here are also some papers available at
the web page.


Internet layer configuration is defined as the configuration required to
support the operation of the Internet layer.  This includes IP address
configuration, default gateway(s), name server configuration, boot
configuration (TFTP, NFS), service location and directory configuration,
mobility configuration, and time server configuration (NTP).

Configuration is typically performed insecurely today.  For example,
DHCP is rarely secured due to the need for keys to be set up between
clients and servers. In other cases, such as in Mobile IPv6, tools for
secure configuration exist and their use is required, but there are
deployment barriers.

As a result, Internet Area working groups are exploring alternative
solutions. These include use of EAP for use for key derivation, and
configuration. For example, the DHC WG has considered employment of
EAP-derived keys for use with DHCP security, as defined in RFC 3118 and
3315.  The MIPv6 WG, in investigating the bootstrapping problem, has
considered proposals involving use of IKEv2 with EAP, as well as
utilization of link layer EAP exchanges for configuration.

The SEND working group defined a certificate-based authorization for
routers, where hosts prefer a router that has a certificate traceable to
a trusted root configured for the host. SEND also defined zero
configuration mechanism for secure IP address configuration, based on
Cryptographically Generated Addresses (CGAs).

This BOF will provide an overview of Internet layer secure configuration
needs, discussing the architectural issues and potential solutions under
discussion. The purpose of the BOF is to discuss a common topic that
touches several existing Working Groups, and it is not expected that a
new working group will be formed as a result.

Reading list:

[RFC3118] Droms, R. and W. Arbaugh, "Authentication for DHCP Messages",
          RFC 3118, June 2001.

[RFC3315] Droms, R., Ed., Bound, J., Volz,, B., Lemon, T., Perkins, C.
          and M. Carney, "Dynamic Host Configuration Protocol for IPv6
          (DHCPv6)", RFC 3315, July 2003.

[RFC3748] Aboba, B., Blunk, L., Vollbrecht, J., Carlson, J. and H.
          Lefkowetz, "Extensible Authentication Protocol (EAP)", RFC
          3748, June 2004.

[RFC3736] Droms, R., "Stateless Dynamic Host Configuration Protocol
          (DHCP) Service for IPv6", RFC 3736, April 2004.

[RFC3756] Nikander, P., Kempf, J. and E. Nordmark, "IPv6 Neighbor
          Discovery (ND) Trust Models and Threats", RFC 3756, May 2004.

[RFC3818] Schryver, V., "IANA Considerations for Point-to-Point
          Protocol", RFC 3818, June 2004.

[ANYCAST] Hagino, J., and K. Ettikan, "An Analysis of IPv6 Anycast",
          draft-ietf-ipngwg-ipv6-anycast-analysis-02.txt, Internet draft
          (work in progress), June 2003.

          Hibbs, R., Smith, C., Volz, B., Zohar, M., "Dynamic Host
          Configuration Protocol for IPv4 (DHCPv4) Threat Analysis",
          draft-ietf-dhc-v4-threat-analysis-02.txt, Internet draft (work
          in progress), April 2004.

          Prigent, N., Marchand, J., Dupont, F., Cousin, B., Laurent-
          Maknavicius, M. and J. Bournelle, "DHCPv6 Threats", draft-
          prigent-dhcpv6-threats-00.txt, March 2001.

          Jeong, J. (ed.), "IPv6 Host Configuration of DNS Server
          Information Approaches", draft-ietf-dnsop-ipv6-dns-
          configuration-04.txt, Internet draft (work in progress),
          September 2004.

[EAP3118] Yegin, A., Tschofenig, H. and D. Forsberg, "Bootstrapping RFC
          3118 Delayed DHCP AUthentication Using EAP-based Network
          Access Authentication", draft-yegin-eap-boot-rfc3118-00.txt,
          Internet draft (work in progress), February 2004.

[EAPIKE]  Tschofenig, H., Kroeselberg, D., Ohba, Y. and F. Bersani, "EAP
          IKEv2 Method (EAP-IKEv2)", draft-tschofenig-eap-ikev2-05.txt,
          Internet draft (work in progress), October 2004.

[IKEv2]   Kaufman, C., (ed.), "Internet Key Exchange (IKEv2) Protocol",
          draft-ietf-ipsec-ikev2-17.txt, Internet draft (work in
          progress), September 2004.

          Song, J., Chong, C. and D. Leigh, "MIPv6 IPCP configuration
          option for PPP IPv6CP", draft-song-pppext-mipv6-ppp-
          support-01.txt, Internet draft (work in progress), October

[SEND]    Arkko, J., Kempf, J., Sommerfeld, B., Zill, B. and P.
          Nikander, "SEcure Neighbor Discovery (SEND)", draft-ietf-send-
          ndopt-06.txt, Internet draft (work in progress), January 2005.

          Aura, T., "Cryptographically Generated Addresses (CGA)",
          draft-ietf-send-cga-06.txt, Internet draft (work in progress),
          October 2004.

          Giaretta, G., Guardini, I., Demaria, E., Bournelle, J., and
          M. Laurent-Maknavicius, "MIPv6 Authorization and Configuration
          based on EAP", draft-giaretta-mip6-authorization-eap-02.txt,
          Internet draft (work in progress), October 2004.

          Devarapalli, V., "Mobile IPv6 Operation with IKEv2 and the
          revised IPsec Architecture",
          Internet draft (work in progress), October 2004.

New-work mailing list

This email is sent from the 802 Executive Committee email reflector.  This list is maintained by Listserv.