Better-Than-Nothing Security BOF (btns)

Monday, March 7 at 1300-1500
============================

CHAIR: Sam Weiler <weiler+ietf@watson.org>

AGENDA:

(1) Agenda bashing (5 minutes)
(2) Review of BTNS goals (15 mins)
(3) Charter bashing (20 mins)
(4) Milestones bashing (20 mins)

Mailing List info. and preliminary Internet Drafts:
http://www.postel.org/anonsec


DESCRIPTION:

Current Internet Protocol security protocol (IPsec) and Internet Key
Exchange protocol (IKE) present somewhat of an all-or-nothing
alternative; these protocols provide protection from a wide array of
possible threats, but are sometimes not deployed because of the need
for cumbersome management key infrastructure or complex configuration. 
This working group will develop extensions to existing IPsec and IKE 
protocols to support relaxed variants that reduce their need for 
pre-shared keys and/or key management infrastructure. These relaxed 
variants provide weaker security guarantees than their conventional 
counterparts, but should be sufficient for use in limited environments, 
e.g., to protect against off-path attacks but not man-in-the-middle, or 
to protect connections without regard for authoritative identification 
of communicating parties. The goal of these relaxed variants is to 
enable and encourage the use of network security where it has been 
difficult to deploy - notably, to enable simpler, more rapid deployment. 
The IPsec and IKE extensions will be developed in a manner consistent 
with use with channel binding.

This work should not preclude the binding of security thus provided with
security at other layers.

The WG has the following specific goals over three IETF meetings:

a) develop a framework document to describe the motivation and
   goals of these infrastructure-free variants of security protocols
   in general, and IPsec and IKE in specific

b) develop an applicability statement, characterizing a reasonable
   set of threat models with relaxed assumptions suitable for
   infrastructure-free use, and describing the limits and conditions
   of appropriate use of infrastructure-free variants

b) develop IPsec and IKE extensions and/or configurations that
   provide the desired infrastructure-free use