[14:10:29] philip_matthews joins the room [14:17:22] Dan York joins the room [14:20:22] @DanYork: There are two slide decks not yet uploaded. I have versions of both. If you give me your e-mail, I can send them to you. [14:21:48] dyork@voxeo.com [14:22:13] Audio is on channel 3 versus channel 7 as it is listed on the audio page [14:22:55] Channel 3? [14:23:39] bhoeneis joins the room [14:24:01] magnus joins the room [14:24:06] OK slides on their way. [14:24:07] iljitsch joins the room [14:24:13] ylee joins the room [14:24:30] wouter joins the room [14:24:31] draft-ietf-behave-turn-09 [14:24:37] not sure who's talking [14:25:00] that's Jonathan Rosenberg, I believe [14:25:00] Jonathan Rosenberg [14:25:07] RemiDenis joins the room [14:25:20] Philip did most of the edits but isn't here [14:25:30] changes in 08 [14:25:37] removed bandwidth attribute [14:25:46] changed requested-prps [14:26:00] preserving vs non-presering allocations [14:26:22] mohsen joins the room [14:26:37] spec outlines what to do with header fields [14:26:55] changes in 09 [14:27:14] iljitsch: thanks for scribing [14:27:18] (are the slides online?) [14:27:23] no [14:27:40] lot of changes, see list in the document [14:27:40] Philip just sent them to me via email [14:27:53] issue: unauthenticated permission refresh [14:28:27] is cullen jennings in the room? [14:28:33] this might be a quick talk [14:28:45] Indeed: most issues come from Cullen! [14:28:46] mohsen leaves the room: Computer went to sleep [14:28:53] philip_matthews: FYI, I did read through -08. (Doesn't need to be relayed to mic) [14:28:56] diagram on screen that show the attack [14:29:00] inaudible question [14:29:27] @DanYork: Great! [14:29:28] jariarkko joins the room [14:29:29] this diagram addresses the situation where the attacker is on the outside of the NAT [14:29:34] kanda joins the room [14:30:07] tsavo_work@jabber.org/Meebo joins the room [14:30:12] someone taking notes? it would be great to see when we switch between presentations [14:30:36] bad guy on outside sends packet to create permission [14:30:51] then spoofs reflexivie address/port [14:31:00] learn allocation by sniffing or guessing [14:31:59] john.zhao joins the room [14:32:06] the client can detect this by virtue of the unknown peer address in step 4 [14:33:41] cullen @ good mike: [14:34:00] we only need to guess 16 port bits with unlimited tries [14:34:04] ruri joins the room [14:34:14] JR: you also need to know the allocation [14:34:56] cullen: your mitigation is bogus [14:35:00] Jyrki.Soini joins the room [14:35:02] philip_matthews leaves the room [14:35:12] the firewall has to be able to detect the attack [14:35:42] JR: without turn it's easier to send data (through the firewall?) [14:35:49] mohsen joins the room [14:35:52] question @ mike: [14:36:41] JR: doing it without turn is better for the attacker [14:37:17] philip_matthews joins the room [14:37:17] philip_matthews leaves the room [14:37:23] philip_matthews joins the room [14:38:42] [heated discussion] [14:38:50] :-) [14:39:01] But useful to me! [14:39:27] Yes, it's useful to hear. [14:39:43] can't keep up with that, though... [14:40:17] iljitsch: You don't need to relay all the nuances. :-) [14:41:13] audio isn't great at the best of times, this room has loud A/C and I am unfamiliar with the bits they speak of... [14:44:26] Comment to Jonathan: We only need the Send request/response when refreshing permission. We can still use Send indications for most data msgs. [14:45:46] solutions: [14:45:52] option 1 do nothing [14:46:00] Thanks Iljitsch! [14:46:03] 2: add dtls to improve option 1, udp is secure [14:46:23] option 3: add send req/response transaction in addition to the current send indication [14:46:36] 4: clients MUST ignore data from unknown peers [14:46:44] sal joins the room [14:46:48] propsal: option 4 [14:47:52] jr: we're now designing new security protocols, we should avoid that [14:47:58] at mike: should do option 1 [14:48:08] don't make things more complicated [14:48:15] cullen, I think: [14:48:34] reason for turn was that we didn't need a tls based relay protocol, there's enough vpn protocols [14:49:12] q: what if you solve the problem but nobody implements it? [14:49:37] Problem with option 2 is that all data gets double encrypted [14:49:42] jr: if people are really worried about this attack we should fix it [14:50:01] sbuko joins the room [14:50:11] jr: we're going to see what happens [14:50:32] we're doing handraising for the options [14:50:49] option 1: 3 hands [14:50:51] 2: 0 [14:50:53] 3: 4 [14:50:56] 4: 4 [14:51:07] we have no cnsensus, see you in minneapolis! [14:51:22] audio died briefly [14:51:30] everyone in favor of option 4 no matter what [14:51:34] ok so we're doing that [14:51:39] (I didn't see any hands) [14:51:59] cullen (?) disagrees with this procedure at the mike [14:52:07] Philip - the audio outage may be the "rebuffering" that goes on from time to time. [14:52:33] Yes, it does seem to be rebuffering [14:52:38] philip: do you have an opinion? [14:52:42] we're doing another round [14:53:03] I think option 3 is the best. [14:53:10] all in favor of 4: many people [14:53:16] 15 to 20 [14:53:35] jariarkko leaves the room [14:53:36] ruri leaves the room [14:53:43] q: option 4 assumes you'll get a reply from the person you're talking to [14:53:58] ruri joins the room [14:54:10] jr: I should never be receiving data from people I haven't previously connected to. what's your point? [14:55:04] 3 options now on the table [14:55:07] Iljitsch: appreciate your scribing. Still having audio problems. [14:55:30] Lars joins the room [14:55:32] hands for option 1: 1 [14:55:36] 5 hands [14:55:39] 6 [14:55:49] option 2 [14:55:55] 0 hands [14:55:57] option 3 [14:56:03] 3 hands [14:56:53] jariarkko joins the room [14:57:03] leave it at this, non-great consensus [14:57:10] q: procedural point: [14:57:25] about 100 people in the room [14:57:29] but only few are voting [14:57:47] next topic: preserving mechanisms [14:57:51] introduced in turn 08 [14:57:59] much like an extension [14:58:06] complicated stuff [14:58:18] proposal: put it in its own document [14:58:38] Comment: It was added under pressure from the ADs [14:58:56] s/under pressure/by request/ [15:00:17] philip: not relaying as magnus is doing it again now :-) [15:00:37] Yup. Magnus and Lars wanted it [15:00:38] magnus: if it's lifted out it may not progress [15:00:40] Lars leaves the room [15:00:42] ruri leaves the room [15:00:55] ruri joins the room [15:01:13] jr: [15:01:33] jr: not saying we shouldn't do it, but this is going to take several more ietf cycles to finish [15:01:46] q: we need to get the rest finished, people are waiting for it [15:01:54] lars: [15:02:04] you're underselling this a bit [15:02:10] we know what it's good for [15:02:41] there are important features in there [15:02:54] the question is if an app needs it: no, they manage to do without it now [15:02:59] jr: but useful for video [15:03:26] jr: negotiation mechanism will stay in there [15:03:52] magnus: ok then, separate documents (I heard that correctly, didn't I?) [15:04:32] Lars joins the room [15:04:48] humming / hand lifting on [15:04:57] removing this from document, moving it to its own [15:05:03] keeping it [15:05:08] something like 15 to 0 [15:06:28] iljitsch leaves the room [15:06:32] Or could do a conf call immediately after the meeting [15:07:11] kanda leaves the room [15:07:11] philip_matthews leaves the room [15:07:12] ruri leaves the room [15:07:15] kanda joins the room [15:07:25] ruri joins the room [15:08:19] philip_matthews joins the room [15:08:43] iljitsch joins the room [15:08:56] fragmentation issue: [15:09:06] darragh joins the room [15:09:08] what if v6 packet is < 1280, set df on v4 or not? [15:09:28] dudi joins the room [15:13:19] kanda leaves the room: Replaced by new connection [15:13:19] philip_matthews leaves the room [15:13:19] ruri leaves the room [15:13:28] ruri joins the room [15:13:36] does this work? [15:13:42] I'm having trouble with my jabber [15:13:53] philip_matthews joins the room [15:13:53] philip_matthews leaves the room [15:13:57] I see your text [15:14:16] my point at the mike: you should set df=0 when translating IPv6 packets <= 1280 set it to 1 otherwise if you want [15:14:21] iljitsch leaves the room [15:16:16] Hmmm... now iljitsch has left the room [15:16:26] jariarkko leaves the room [15:16:27] ruri leaves the room [15:16:34] ruri joins the room [15:16:38] jariarkko joins the room [15:17:31] philip_matthews joins the room [15:19:48] sal leaves the room [15:19:57] kanda joins the room [15:20:03] @Iljitsch: We do what SIIT says to do [15:20:23] bhoeneis leaves the room [15:20:47] wouter leaves the room [15:20:48] ruri leaves the room [15:21:08] philip_matthews leaves the room [15:21:50] philip_matthews joins the room [15:21:50] philip_matthews leaves the room [15:21:57] philip_matthews joins the room [15:23:22] ping [15:23:38] ruri joins the room [15:23:51] @rem: I see you [15:24:27] kanda leaves the room [15:24:27] philip_matthews leaves the room [15:24:28] ruri leaves the room [15:25:00] kanda joins the room [15:25:08] RemiDenis: We seem to have lost iljitsch, so we have no one in the room scribing [15:25:15] ruri joins the room [15:25:36] philip_matthews joins the room [15:37:30] What slide are we on? [15:38:15] nat64 @ http://tools.ietf.org/wg/behave/agenda [http://tools.ietf.org/wg/behave/agenda] [15:38:31] But which slide in the presentation [15:38:46] What is the title on the current slide? [15:38:54] ylee leaves the room [15:39:02] maybe 17page [15:39:10] john.zhao leaves the room: Replaced by new connection. [15:39:11] john.zhao joins the room [15:43:52] jariarkko leaves the room [15:43:53] ruri leaves the room [15:44:12] ruri joins the room [15:45:52] ylee joins the room [15:49:22] atarashi joins the room [15:50:45] kanda leaves the room [15:50:45] philip_matthews leaves the room [15:50:45] ruri leaves the room [15:50:56] ruri joins the room [15:51:14] philip_matthews joins the room [15:51:16] philip_matthews leaves the room [15:51:20] philip_matthews joins the room [15:55:07] atarashi leaves the room [15:56:14] kanda joins the room [15:58:35] jariarkko joins the room [16:01:03] RemiDenis leaves the room [16:04:40] jariarkko leaves the room [16:05:32] what's wrong with using C and D? [16:05:40] i'm getting lost :-) [16:05:57] I am too. But I haven't read the draft ... [16:06:45] What is unclear to me is how general is this scheme. [16:06:56] kanda leaves the room: Replaced by new connection [16:06:57] philip_matthews leaves the room [16:06:57] ruri leaves the room [16:07:10] kanda joins the room [16:07:10] ruri joins the room [16:07:24] iljitsch joins the room [16:07:27] philip_matthews joins the room [16:07:29] philip_matthews leaves the room [16:07:33] philip_matthews joins the room [16:07:39] ugh, wifi channel 6 wouldn't let me connect to jabber the past hour [16:08:25] @Iljitsch: Welcome back [16:08:39] were you able to follow the previous discussions? [16:09:07] Not the IVI stuff, but most of the NAT64/NAT6 stuff I did. [16:09:27] what do you think about a well-known prefix vs what's in our draft now? [16:11:19] As I said on the mailing list, I am still worried about the mapping property (endpoint--independent or not). But Dave had a good point that it might be possible for the NAT64s to coordinate amongst themselves. [16:13:41] ylee leaves the room [16:13:44] jariarkko joins the room [16:17:52] tsavo_work@jabber.org/Meebo leaves the room [16:17:53] philip_matthews leaves the room [16:17:53] ruri leaves the room [16:18:07] ruri joins the room [16:18:30] philip_matthews joins the room [16:18:44] iljitsch leaves the room [16:20:57] Question: How general is this scheme? [16:21:39] How many IPv4 addresses do they need? [16:22:56] darragh leaves the room [16:23:41] sbuko leaves the room [16:24:37] john.zhao leaves the room: Computer went to sleep [16:26:08] jariarkko leaves the room [16:26:09] jariarkko joins the room [16:26:09] ruri leaves the room [16:28:37] mohsen leaves the room: Computer went to sleep [16:28:41] ruri joins the room [16:29:15] magnus leaves the room [16:29:15] philip_matthews leaves the room [16:29:16] ruri leaves the room [16:29:25] ruri joins the room [16:31:19] Jyrki.Soini leaves the room [16:31:42] ruri leaves the room [16:31:51] ruri joins the room [16:32:20] ruri leaves the room [16:33:59] Lars leaves the room [16:42:47] dudi leaves the room [16:44:19] kanda leaves the room [16:44:41] hirocomb joins the room [16:46:37] Jyrki.Soini joins the room [16:49:42] OatWillie joins the room [16:50:07] am i late? [16:51:49] john.zhao joins the room [16:55:39] late again - sigh [16:57:15] did both bahave sessions already occur today? [16:57:29] jariarkko leaves the room [16:57:29] jariarkko joins the room [17:10:33] Lars joins the room [17:10:49] Lars leaves the room [17:11:31] jariarkko leaves the room [17:12:32] john.zhao leaves the room: Computer went to sleep [17:13:12] john.zhao joins the room [17:17:18] philip_matthews joins the room [17:21:09] john.zhao leaves the room: Computer went to sleep [17:21:42] john.zhao joins the room [17:23:57] john.zhao leaves the room [17:45:06] ruri joins the room [17:49:50] Is someone acting as jabber scribe / monitor? [17:50:33] I am just monitoring... [17:50:47] Are you present in the room? [17:51:09] no, I am in another room [17:51:50] behave starting up again? [17:52:05] sorry, I misunderstood your question [17:52:18] @bmanniing: It is starting now [17:53:11] ta... [17:53:16] Lars joins the room [17:54:49] hirocomb leaves the room [17:54:51] dudi joins the room [17:56:49] There is an issue with ALTERNATE-SERVER in rfc3489bis [17:57:32] We may have to change the text depending on how the anycast and TURN discussion goes. [18:02:57] could you have the speaker -slow- down a little? [18:03:54] magnus joins the room [18:08:14] DThaler joins the room [18:09:10] a "safe" list? [18:09:50] @bmanning: What is your question? [18:10:37] hard to understand the speaker - he is going fast. i think the sidebar on port randomization was related to the port range... [18:10:59] something about a "safe" list of ports vs all available ports [18:11:15] so the question: what the heck did they say? [18:11:20] magnus leaves the room [18:11:20] philip_matthews leaves the room [18:11:21] ruri leaves the room [18:11:32] ruri joins the room [18:11:43] philip_matthews joins the room [18:12:04] who is at the mic now? [18:13:15] @bmanning: There is a discussion of port range in RFC 4787. That might help make the discussion clearer. [18:13:45] ok. [18:14:02] the audio is very poor [18:14:10] But I think Remi Denis-Courmont's comment that the port range is pretty small is a good one. [18:14:25] For me, the audio quality is quite good. [18:14:56] i'll shut up and try and pick out the threads [18:14:57] mohsen joins the room [18:24:05] DNS URI? what happens when IDNABIS is adopted? [18:24:55] I suspect that people in BEHAVE are not aware of IIDNABIS. I certainly am not. [18:25:10] non-asci DNS labels. [18:25:26] Raise this on the mailing list [18:25:51] have to get past the signup hurdles... [18:26:17] Or send directly to the author [18:26:24] that i can do. [18:28:29] ouch! linear search of v6 space looking for capailities? emperical testing has that method taking weeks to complete [18:28:29] Copy me, since I am the editor of the base TURN spec [18:28:45] ok [18:29:12] how many folks working on this stuff actually run networks? [18:30:04] the speaker has never heard of enum & naptr then has he? [18:30:28] Run networks as in work for ISPs? None that I know of. But there are many who work for companies trying to get SIP to work. [18:30:44] yes, run networks. [18:31:19] vendors and folks writing code for vendors without being grounded in pragmatic realities are scary. [18:31:40] I believe the presentor works for a company trying to get SIP to work. [18:32:27] So what was the outcome of the show of hands? [18:32:37] some of the testing done in some v6 networks shows serious problems in the way address space is managed/assigned for capability discovery - esp in IPv6. early testing has shown -weeks- to complete [18:32:57] neither of my hands were raised [18:33:52] mohsen leaves the room [18:42:39] dudi leaves the room [18:46:08] Dan York leaves the room: Computer went to sleep [18:53:09] ruri leaves the room [18:53:16] philip_matthews leaves the room [18:53:19] Lars leaves the room [18:54:37] Jyrki.Soini leaves the room [18:55:00] ruri joins the room [18:55:35] ruri leaves the room [19:29:08] DThaler leaves the room [20:26:32] philip_matthews joins the room [20:26:51] philip_matthews leaves the room [20:50:46] Dan York joins the room [22:46:56] OatWillie leaves the room