►
From YouTube: IETF108-IPSECME-20200728-1100
Description
IPSECME meeting session at IETF108
2020/07/28 1100
https://datatracker.ietf.org/meeting/108/proceedings/
C
C
C
Oh
sure,
there
is
there's
right
where
you
asked
for
one
to
the
left
of
where
you
just
started.
Sending
the
audio
there's
a
request,
audio
cue,
or
at
least
there
should
be.
D
E
C
Are
you
seeing
this
slide
all
over
everything
because
I
made
it
full
screen,
so
it's
hiding
the
the
chrome.
D
Anyone
seeing
the
the
application
that
would
present
the
slides,
but
it's
still
in
the
not
full
screen
mode
so
list
of
slides
on
the
left.
And
it's
a
note
well
from
the
second
slide,
as
well
as
the
first
line.
So.
C
D
A
A
C
Okay,
I
think
the
session's
started.
So
let's
get
done
with
it.
We
go
to
the
next
slide
and
show
the
note
well
and
even
though
the
font
is
really
really
small,
it
doesn't
really
matter
because
we're
all
remote,
so
we've
all
got
our
reading
glasses
and
we're
seeing
the
small
phone
just
fine.
C
Okay,
so
note
the
note
well
well
and
let's
go
on
to
the
blue
sheets-
are
automatic
here
just
by
logging
into
meet
echo
you
registered
on
the
blue
sheet.
So
we
need
a
jabra
scribe
and
two
note
takers
and
the
links
at
least
to
the
note-taking
r
on
the
agenda.
A
The
most
problem,
the
problem
thing
is
that
you
can
see
that,
if
you
are,
you
know
going
with
the
the
the
queue
you
can't
see
the
chat
unless
you
have
a
chapter
client
separately.
A
C
Okay,
good,
so
so
we
need
volunteers
for
note-taking
at
least.
A
That's
why
we
want
to
have
a
tool
and
we
are
using
the
kodaim
or
what
is
that.
I
don't
know
how
to
spell
that.
One
go
with
19.
yeah.
C
C
Okay,
so
we
don't
really
need
blow
it
blow,
just
any
decisions
made
or
ideas
accepted
or
rejected
or
stuff
like
that.
C
Okay,
so
oh
yeah,
so
can
you
run?
Oh,
we
just
got
follow
anyone
else.
A
C
Right:
okay,
great
thanks!
So
let's
go
to
the
group
status
I
think,
is
the
next
slide
right.
So
we've
got
all
the
allocated
time
for
technical
difficulties,
and-
and
this
is
the
agenda,
any
comments,
anything
we
forgot
missing
stuff
yeah,
remember
that
paul
had
something
he
wanted
to
discuss
in
any
other
business,
but
well
we'll
get
to
that.
C
Okay,
since
we
last
met
which
was
in
november-
and
I
was
even
wasn't
there
so
implicitly-
we
got
published
as
rfc,
8750
and
qrikv2
was
published
as
rfc
8784,
and
I
think
for
the
first
time
in
several
years
I
don't
have
a
draft
in
this
working
group,
so
yeah
and
we've
requested
publication
for
the
ipv6
and
ipv4
codes
and
that's
the
publication
request
and
then
we've
got
work
in
progress
for
the
intermediate
multiple
ke
iptfs
labeled
ipsec,
which
I
don't
think
we've
had
much
discussion
about
that
recently
and,
of
course,
gi
kv2,
that's
been
going
on
since
I
think
the
first
itf
I
ever
attended,
which
was
in
2007,
so
yeah
that's
been
a
long
time
coming.
C
F
F
So
this
spin
calculation
was
defined
in
29
published
a
while
ago
and
it
modifies
iq2
behavior
in
several
ways.
It
there
are
very.
Quite
a
lot
of
places
when
like
to
be
heavier
must
be
accommodated,
must
be
handled
differently
compared
with
udp
transport
and
while
rfc
tries
to
cover
all
these
places
and
describe
prescribe
the
new
behavior.
A
E
F
Lists
all
these
clarifications
for
therapy,
but
follow
the
our
direct
advice
and
our
terrorist
advice
it.
It
was
decided
to
instead
to
prepare-
and
this
document
for
22
82-29,
so
tommy
and
myself
has
prepared
the
draft
that
can
be
used
as
initial
version
of
this
document.
Next,
please
so
here
I
will
try
to
cover
just
the
differences
that
are
not
addressed
in
the
current
version
of
in
the
current
review,
and
that
must
be
addressed
in
this
draft.
F
So
I
quit
two
requires
exchange
in
the
shelter
to
initialize,
mid
request,
periodically
and
tcp
is
a
reliable
protocol,
so
the
transmissions
are
not
needed
and,
moreover,
excessive
transmissions
may
may
make
things
worse
because
in
case
of
congestion,
any
requests
that
can
be
done
that
will
be
done
by
application
will
always
increase
this
congestion
making
sense
worse.
But
in
some
cases
for
example,
if
this
speculation
is
lost
and
then
restored,
then
the
transmission
must.
E
F
On
the
other
hand,
puzzle
can
be
used
because
it
provides
a
different
mechanism
to
to
to
defend
against
general
distributed
general
service
attack,
and
so
cookie
will
be
used
only
if
puzzle
is
used,
but
of
course,
if
cook
is
requested
by
the
charter
responders
still
need
to
handle
it
in
this
position.
So
next,
please.
F
So
since
udp.
F
Rfc
7296
device
is
initiated
not
to
act
immediately
if
it
receives
some
error
notification
in
the
iksa
indeed,
but
wait
for
some
time,
because
this
package
can
be
forced,
but
in
case
of
tcp
it
makes
little
sense
because
either
we
receive
the
error
and
it
is
a
genuine
error
or
it
is
forced,
but
if
it
is
forced
against
this
reconnection
is
hijacked
and
the
genuine
error
will
never
never
be
received.
So
it
must
be
also
addressed
in
the
revised
interrupt
next,
please.
F
That
that
are
important
here.
A
F
Not
detection
ip
contact
must
not
be
so
sorry.
Currently
ruxin
recommends
that
he
can't
be
changed,
that
initiated
structures
tries
to
connect
our
will
dp
exacerbation
and
which
is
to
tcp
is
not
detection.
Ip
notification
must
be
recalculated
if
source
address
was
different.
F
And
that's
just
to
detect
was
another
place
is
present,
so
at
the
same
time,
message
id
for
tcp
based
exchange
must
remain
the
same,
even
if
we
switch
to
the
different
transport.
So
the
next
piece.
F
And
another
very
important
thing
is
an
interaction
with
high
availability
clusters
since
gcp
connection,
when
cluster
is
switched
from
basic
to
from
active
to
basic
node,
the
tcp
connection
will
most
probably
will
be
lost
because
well,
if
it
is,
if
it,
if
it
survives,
we
have
very
reliable.
F
F
A
special
package
informing
that
message,
id
must
be
adjusted
and
sequence
number
might
be
adjusted,
but
it
can
do
it
because
this
reconnection
is
lost
and
the
initial
responder
cannot
restore
it.
It
has
no
means
to
do
it,
so
it's
advising
that
client
should
periodically
send
learners,
check
messages,
and
it
must
do
it
more
frequently
and
despite
whether
rails
traffic
exists
or
no
despite,
if
there
is
a
a
traffic,
it
must
not
send,
but
if
there
is
no
traffic
it
must
have
periodically.
F
So
that's
that's
basically,
most
of
the
changes
there
are
more
worries,
more
changes
that
are
less
important,
probably
that
can
be
ignored,
but
that
was
covered
most
of
the
changes
that
are
in
the
new
document.
So
we're
definitely
looking
for
adoption
of
the
document
followed
by
our
id
advice.
F
So
what
the
chair
thinks.
B
So
just
a
few
comments
I'll
have
to
take
a
closer
look
at
the
draft,
but
I
think
there
should
probably
also
be
a
section
about
the
kernel
requirements
and
things
like
what
to
do
when
you
have
like
packets
that
are
too
small
that
that
are
smaller
than
a
non-esp
marker,
because
we
we
had
a
few
bugs
when
we
were
implementing
this
in
a
linux
kernel.
I
think
those
would
be
good
to
also
incorporate
into
the
document.
F
Yes,
there
is,
there
is
a
section
that
is
concerned
with
ipsec,
so
the
the
how
tcp
encapsulation
includes
is
influenced
by
the
secretary.
It
is
currently
a
bit
short,
but
it
definitely
should
be
expanded.
In
particular,
it
says
that,
for
example,
you
cannot
have
a
multiple.
You
cannot
copy
course
class
field
from
in
a
ip
header
to
the
outer.
F
F
B
And
then
one
last
question,
so
I
know
we
did.
Some
interrupt.
Testing
have
been
any
other
vendors,
yet
who've
done
interrupt
testing.
F
I
believe
so
well
initially,
when
this
the
rfc
8229
was
implemented.
I
I
remember
that
we
have
tested
with
at
least
apple
and,
as
far
as
I
remember
with
cisco
is
minimum.
C
I
can
do
it
for
you,
but
you've
got
a
button
for
stopping
transmission.
Any
other
questions.
C
Okay,
let's
take
a
hum
about
how
many
people
have
actually
read
this,
so
go
to
the
hum
tool:
tab
virtual
hum
tool,
tab!
It's
right!
Next
to
the
chat
right
left
left
of
the
chat
and
when
I
click
the
start
button
you
will
have
a
chance
to
say
how
loudly
you
want
to
hum
so
hum.
Now,
if
you
have
read
the
draft.
C
Okay,
so
yeah
people
hunt
very,
very
softly
pianissimo
and
that's
really
not
very
relatively
new,
so
that's
probably
the
case
yeah.
So
if
I
ask
now
about
how
many
people
haven't
read
the
draft
and
I
get
that
it's
48
doesn't
really
say
anything
because
it
doesn't
show
me
how
many
people
hunt.
So
that's
pretty
useless.
C
Okay.
So,
since
we
can't
really
pull
the
rule
for
how
many
people
have
read
the
draft
and
there's
also
no
point
in
well,
perhaps
there
is
a
point
in
asking
about
you
know
adoption,
or
rather
let's
ask
the
participant
to
come
to
the
queue
and
say,
if
you
think,
there's
just
adapting.
This
is
a
good
idea.
B
C
So
you
have
a
general
sense
that
rfc
82
was
it.
29
is
an
incomplete
specification
for
doing
a.
I
can
type
over
tcp.
B
C
Okay,
so
the
question
we
really
would
like
to
ask
is
if
we
need
and
if
we
need
an
update
to
82.99,
and
if
this
is
a
good
starting
point-
and
I
guess
that's
some
question-
that
we
will
ask
on
the
list.
A
Else
this
is,
I
think,
actually,
if
I
remember
correct,
our
original
charter
was
like
tcp
encapsulation
clarifications,
and
then
we
decided
to
do
the
beast
document
and
I
think
that's
that's
the
real
question
now
that.
C
And
we
are
watching
we'll
definitely
take
this
to
the
list.
Okay,
so
if
nobody
has
anything
else
to
add-
and
I
guess
we
can
move
to
valerie's
second
slide
deck.
A
F
Item
for
us,
it
is
called
liquid
configuration
for
encrypted
dns,
so
this
work
was
initially
initiated
by
matt,
tiro
and
then-
and
I
was
later
joined,
just
to
clarify
things
concerning
with.
I
could
do
so
please,
so
this
is
just
a
content
of
the
presentation.
F
It's
a
simple
sample
use
cases
how
it
is
integrated
into
ike
and
what
next
step
next
description
of
the
program.
So
the
recently
several
schemes
to
encrypt
dns
have
been
specified,
it's
dennis
or
with
tls
dot,
dns
or
detailers
dns
over
https
doc
and
another
scheme
that
is
currently
instantified
in
s
or
working.
F
So
it's
it's
quite
popular
topic
currently
to
to
to
make
dns
encrypted,
and
the
question
is
how
to
securely
provide
clients
with
the
configuration
of
encrypted
dns,
and
so
that
can
use
it
even
within
episode
2
of
the
next
piece.
F
F
So
vpn
service
provider
can
offer
publicly
accessible
encrypted
dns
outside
its
domain,
so
that
dns,
dns,
dns
server
is,
is
not
accessible
or
probably,
maybe
or
may
not
be
accessible.
We
are
depend
too
now,
so
in
this
situation
we
have
to
since
dns
is
encrypted.
There
is
no
it's
protected,
but
we
have
to
configure
client
to
with
configuration
and
how
to
use
it
encrypted
dns
outside
the
tone
and
the
next
use
case
next
piece.
F
It's
it's
protected
internal
dns
traffic.
So
our
recent
research
recent
trends
treat
even
internal
hosts
in
the
protected
networks
as
acceptable
to
to
to
be
attacked,
and
so,
in
this
case,
encrypted
dns
can
benefit
so
that
the
dns
traffic
is
encrypted
even
inside
the
protected
boundary,
so
so
called
zero
trust
architecture.
F
F
So
how
to
solve
this
problem.
A
And
we
use
and
I
a
ui.
F
Configuration
attribute
to
convey
information
concerned
with
encrypted
dns
to
from
server
to
the
client.
It's
called
internal
and
dns,
and
it
has
follow
information
inside
so.
A
F
F
And
the
server
address
itself
and
the
encrypted
domain
encrypted
dns
domain
fully
qualified
the
money.
So
this
attribute
is
exchanging
the
icos
exchange
loan
without
attributing
cap
again
requesting
category
reply.
Is
configuration
condo,
that's
the
next
piece,
so
the
attribute
format
is
is.
A
F
One
of
more
ip
addresses
for
the
dns
server
all
addresses
are
encoded,
as
ipv6
addresses
and
ipv4
addresses
are
included,
using
the
mapping
from
ipv4
to
ipv6
and
then
the
authentication
domain
name.
F
So
there
is
one
subtle
thing
that.
A
These
drafted.
F
Drug
houses
into
the
drafting
trucks
with
split
dns
extension,
currently
rfc,
85,
1998
split
dns
configuration
for
iq2
requires
that
internal
ipdns
attributes
be
present.
When
you
turn
the
nest
domain
is
included,
since
this
attribute
includes
both
address
and
domain.
So
this
requirement
is
relaxed
if
these
traffic
implements
so
the
next
piece.
F
So
next
steps,
I
think,
from
conversation
with
my
co-authors,
that
this
group
is
not
considered
as
a
primary
home
group
candidate,
so
they
wanted
initially,
they
directed
the
drug
to
be
adopted
and
progressed
in
the
working
group.
But
since
this
is
concerned
with
ike,
I
think
it
is
of
interest
for
this
group.
Probably
happy
second
year
can
be
home
for
this
draft.
If
the
group
decides
it
is
interesting.
F
C
C
B
Oops,
I
had
another
mute
button.
Sorry
so
I
think
the
draft's
good,
the
on
my
only
concern
is
with
the
the
bit
that
says
something
about
what
to
do
outside
of
the
vpn
tunnel.
I
think
that's
sort
of
out
of
scope
for
for
for
ike
to
say
what
you
should
do
outside
of
the
vpn.
So
I
think
it
should.
I
agree
to
define
like
you
know,
these
are
the
dns
servers
you
can
reach
on
on
various
protocol
flavors.
B
F
Comment
on
this
because
it's
it's
mostly
I'm
not
expecting
ecliptic
dennis
so
that
my
courses
will
probably
also
better
than
myself
but
as
far
as
I
understand,
they
feel
that
this
is
a
very
interesting
scenario
when
the
dns
initially
is
offloaded
outside
the
pen,
provided
so
that
all
the
ds
queries
are
encrypted,
but
the
dns
provider
is
different
from
the
10
provider.
D
Okay,
I
had
a
couple
comments,
so
the
first
one
is.
I
think
you
already
noted
that
there
is
the
add
working
group
that
is
charted
to
do
things,
at
least
in
this
space.
So
you
should
be
sure
to
have
the
respect.
Working
group
chairs
coordinate
to
make
sure
that
we
have
one
proper
home
for
the
work,
but
I'm
sure
we
can
do
that,
and
my
other
comment
was
that
in
the
the
slide
with
the
attribute
format,
you
are
showing
the
ip
address
and
the
dns
authentication
domain
name.
D
F
Thank
you
first
first
about
the
first
question
this
draft.
This
presentation
was
also
requested
to
be
done
in
the
add
working
group
in
this
itf,
but
because
of
very
tight
agenda.
F
A
F
Budget
home
working
group
for
this
drug
and
for
the
second
question
so
the
next
slightly
and
next
the
reason
it
becomes
slide.
Well,
there
are
some
dark
specifics
that
are
not
covered
in
the
draft,
and
that
is
because
this
is
where
it
is.
It
is
a
bit
outside
of
ipsec.
F
We
decided
to
make
this
because,
like
not
to
present
it
initially,
so
exactly
for
the
joke,
you
have
to
somehow
now
we
templates
for
for
the
dock
services.
F
It
it
will
be
covered
in
details
in
draft
btv,
add
rfc
8040
for
clarification,
but
the
idea
is
that
there
is
a
well-known
ue
where
this
template
can
be
discovered.
D
Yeah,
we'll
definitely
have
to
follow
that
work
to
stand
on
track
and,
of
course,
when
dns
over
quick
arrives,
we
don't
know
yet
what
kind
of
configuration
it
will
need,
so
just
to
make
sure
that
our
attribute
format
is
sufficiently
flexible,
that
we
can
extend
to
new
types
of
data
if
we
need
to
but
yeah.
I
think
this
is
interesting.
Work.
A
So
to
start
giving
it
so
so
you
would
be
saying
that
instead
of
having
this
kind
of
thing,
we
probably
should
have
you
know
sub
attributes
inside
that
think
that
we
could
have
a
multiple
different
type
of
things,
especially
if
we
see
that
there's
going
to
be
perhaps
need
for
other
type
of
configuration.
Attributes
for
different
types
of
you
know
things
we
are
configuring
or
the
other
option,
of
course,
is
to
make
you
know
multiple.
A
You
know,
because
we
have
this
list
of.
You
know
configuration
attributes
already,
so
we
could,
you
know
just
do
it
so
that
we
move
this
one
level
up
like
we
did
for
ipv4
and
ipv6.
We
have
a
different
payload
for
ipv4
dns
addresses
and
different
for
ipv6
dns
addresses.
We
could
have
an
one
format,
for
you
know
dot
one
format
for
the
hda,
oh
and
one
for
a
quick,
because
we
have
a
16
bit
attribute
type.
There.
F
A
B
C
Okay,
so
yeah.
This
is
the
oven
here.
Speaking
with
snow
hats,
I
admit
I
haven't
read
the
draft,
but
just
looking
at
the
presentation,
I
think
there's
something
missing
in
their
motivation.
C
The
big
motivation
as
far
as
I'm
concerned
is
that
the
world,
or
at
least
the
world
in
the
itf,
is
moving
to
encrypted
dns
and
we
don't
want
to
have
to
keep
the
old
unencrypted
dns
just
for
the
sake
of
the
ikv2
server.
That's
that
doesn't
know
how
to
handle
input
the
dns,
so
we
needed
if
for
no
other
reason,
we
needed
to
keep
up
with
the
times
because
dna,
because
we
don't
want
to
force
people
to
keep
the
unique
guinness.
F
It's
one
of
the
reasons
because,
as
of
course,
it's
jiro
probably
will
comment
better
on
it.
But
as
far
as
I
understand
many
browsers
with
soon
have
an
encrypted
dns
turned
on
by
default,
and
they
will
display
a
warning
if
you
use
some
encrypted
dns.
So
we
should
be
prepared
with
this
with
ip2,
so
that
users
don't
see
this
warning
when
they
use.
I
don't
know
likely
to
I
decide
to
connect
to
the
you,
can
correct.
C
I
One
of
the
co-authors
of
the
wrap,
the
dean's
authentication
domain
name,
can
be
used
by
all
the
three
flavors
of
danish
encryption,
both
amos
or
dls,
dns,
https,
and
so
quick.
These
https
or
the
next
https
three
are
required,
uri
to
be
discovered
and
that
uri
discovered
can
be
done
securely
using
well-known
domain
name.
So
that
is
the
client
first
establishes
the
tls
handshake
and
then
uses
the
uri
to
retrieve
the
well
known
url
to
retrieve
all
the
reverse
services.
The
services
could
be
like.
I
can
do
malware
frames.
I
I
can
block
phishing
sites
so
the
various
services.
I
don't
need
any
filtrate
from
the
us
service.
So
those.
I
Flavors
of
the
wire
that
could
be
discovered
by
the
flag
and
the
client
can
decide
to
pick
whichever
our
service
reports
to
use
from
thirty
or
so
that
discovery
is
already
discussed
as
part
of.
F
A
A
I
The
uri
services
can
be
discovered
using
the
well-known
url
link
and
that's
already
being
discussed
as
part
of
that.
That's
the
reason
it's
not
covered.
C
C
Yes,
I
see
okay,
so
I
guess
that's
something
that
valerie
needs
to
discuss
with
the
add
people.
C
Okay,
so
next
one
in
the
queue
benedict.
G
Okay,
so
maybe
this
was.
This
was
the
context
of
the
previous
question
and
I
just
didn't
quite
get
it
force.
My
understanding
was
that
for
some
dns
services
like
dns
over
tlrx,
we
need
or
hoping
to
do,
certificate
validation
is
that
is
that
the
same
context
as
a
previous
question,
or,
if
not,
is
that
something
that
we
maybe
can
just
send
a
string
and
then
do
the
dns
we
would
have
to
do
it.
We
would
have
a
bootstrapping
problem,
but
we
would
be
able.
I
To
evaluate
yeah,
the
the
ad
working
group
is
currently
only
discussing
certificates
which
are
became
based.
We
are
not
discussing
any
certificates
which
are
using
private
ca
or
or
raw
public
keys.
So
that's
reason
in
this
graph:
we
are
only
covering
authentication
domain
name,
because
the
certificate
would
have
that
and
a
client
would
still
use
pk
to
validate
the
certificate.
G
C
Okay,
so
valerie
are
you
right
now
calling
for
adoption
of
this
or
or
what.
F
I
think
that
the
hdd
working
group
is
a
primarily
primary
target
home
working
group
for
this
drought.
So
as
far
as
I
understand
from
my
conversation
with
steroids,
so
it's
probably
in
this
working
group
is
just
for
information.
But
if
there
is
an
interesting
interest
in
looking.
F
I
Yeah,
I
think
I
think
we
need
a
couple
of
more
revisions
for
this
drought
before
I
think
it's
ready,
but
we
would
definitely
like
to
present
this
drought
in
ad
working
group
as
well,
and
we
would
like
the
chairs
of
both
this
working
group
and
recorded
and
because
this
is
an
extension
to
like
it.
It
definitely
falls
into
this,
but
chatter
as
well,
but
you
will
also
be
aware
of
the
work
that's
happening
here,
so
I
guess
some
discussions
have
to
happen
in
both.
I
D
Make
sense
yeah
just
this
has
been
chaotix
to
note
as
the
area
director.
If
this
working
group
might
beseck
me
decided
to
say
that
this
work
is
terrible
and
you
shouldn't
do
it.
That
would
be
very
useful
information
for
add
to
have.
I
don't
see
that
happening,
of
course,
but
to
be
able
to
say
that
we
saw
the
work
and
it
seems
to
make
sense,
is
useful
information
to
have.
I
I
had
one
comment
to
add
is
currently:
if
you
see
most
of
the
drafts
that
are
discussed
in
ad
are
basically
using
insecure
mechanisms
to
discover
the
duty
level
servers
either
it
could
be
dhcp
routing
advertisement
or
it
could
be.
I
have
a
domain,
especially
it
has
a
domain
name
which
the
client
queries
in
venus
or
533
to
retrieve
whether
the
network
supports
dvd
audio.
I
This
is
the
only
only
secure
mechanism,
that's
being
discussed,
which
make
sure
that
it's
not
an
attacker
who
is
providing
a
divorce
device
server
rather
than
it's
it's
the
server
which
is
hosted
by
the
vpn
provider,
so
that
makes
it
quite
unique
and
probably
different
from
the
vpn
use
case
compared
to
the
other
cases,
that's
being
discussed
in
advertising.
C
Okay,
so
with
that,
let's
go
to
valerie's
third
and
last
because
we're
already
about
seven
minutes
behind
schedule,
so
that'll
become.
F
F
F
So
of
course,
if
initiating,
if
initiators,
knew
respondus
capabilities,
they
would
have
chosen
excess
pixels
one
and
they
say
succeeded
so
the
next
piece
and
social.
The
problem
that
there
is
no
currently
there
is
no
way
for
peace
for
peers
to
explicitly
indicate
the
supported,
authentication
method.
F
It's
the
euristic
mechanisms
that
can
be
done
using
cert
request,
reload,
for
example,
or
id
content,
but
all
of
them
are
unreliable
and
I
think
that
with
new
signature
formats
and
authentication
method,
especially
post
quantum
and
hybrid
ones,
that
are
already
discussed
in
the
last
working
group
in
the
kids
working
group,
there
are
some
drugs.
The
station
of
this
election
might
happen
more
often
as
the
next
piece
and.
F
Solution
is
to
add
the
new
notification
supported
house
method
to
indicate
the
supported
authentication
method,
so
that
is
an
optional
notification
that
each
player
can
send
to
each
other
and
for
certificate
based
authentication.
F
It's
it's
useful
to
enter
the
ability
for
the
piece
to
indicate
which
signing
message
can
be
due
to
visit
with
each
of
the
ce
in
the
search
request,
reload
and
another
thing
that
is
desirable
and
avoid
creating
new
ion
registers
for
them.
So
next,
please.
F
So
the
formation
of
identification
is
a
list
of
supported
authentication
methods
of
which
each
of
them
is
represented,
using
three
three
possible
formats.
A
two
octet
format
for
a
very
simple
method
like
pre-sharing,
key
or
another
authentication
reacted
format
that.
F
To
rsi
to
sorry
to
set
requests
below
and
multiple
mods
that
actually
for
the
currently
its
only
method,
signature,
digital
signature-
it
contains
some
grease
identifier
to
completely
identify
this
signature
algorithm
that
can
be
used
for
for
this
authentication
man
and
the
linking
is
done
by
pointing
to
the
content
of
search
request
below
that
can
illustrate
it
on
the
next
slide
next
piece.
F
So
this
is
an
illustration
of
how
the
linking
to
the
to
the
search
request
below
it
is
done.
So
each
authentication
method
contains
a
field,
a
subfield
called
link,
and
it
contains
ic,
zero
or
non-zero
value.
If
it
is
not
zero,
it
is
it
points.
This
value
is
treated
as
a
number.
The
the
the
sequence
number
of
c
is
in
the
start,
request
below.
F
If
it
is
zero,
it
means
that
this
particular
citation
method
can
use
with
any
series,
or
it
isn't
concerned
with
this,
so
the
next,
please
so
how
it
is
exchanged.
Since
there
are
two
options
option
one
is
very
simple:
it
is
exchange
along
with
set
requests
below
it,
so,
each
time
the
psn
centric
has
below
it.
It
also
includes
the
put
it
out
method.
F
Next,
please,
the
problem
with
the
first
option
is
that
supported
house
messaging
education
can
be
quite
long
because
you
can
support
quite
a
lot
of
methods
in
since
the
aggregation
identifiers.
I
send
you,
I
send
a
centered.
One
conversion
identifies
it
included,
they
get
the
quantum
several
hundred
points.
So
in
this
case
we
can
use
ice
intermediate
exchange
that
is
used
for
other
purposes
currently
for
multiple
key
exchanges
and,
for
example,
we
can
use
it
for
other
purpose.
So
if
respondent.
A
F
That
the
size
of
the
its
response
will
be
too
too
large
and
caused
ip
fragmentation
in
consent,
supported
in
empty
supported,
house
method,
method,
certification,
and
that
is
a
hint
for
initiators
that
it
must
initiate,
like
intermediate
exchange
or
piggyback
if
academic
exchange
is
initiated
for
some
other
purpose.
And
so
is
this
like
an
immediate
exchange,
the
respondent
will
include
incentification
so
for
the
shutters
there's,
no
problem
because
it
gets
close.
F
So
the
next
piece,
so
I
try
to
be
very
quick.
I
I
want
to
say
that
this
particular.
F
A
B
Hi
paul
vader
speaking,
I
think
this
this
chart
is
a
good
idea,
I'm
not
sure
yet
about
whether
all
the
complexity
is
needed.
But
I
did
want
to
point
out
that
for
liberson
we
went
into
we
had
a
similar
issue.
We
wanted
to
support
null
encryption
on
both
sides
and
then
slowly
have
people
be
able
to
migrate
to
certificates,
and
we
couldn't
really
signal
that
so.
B
A
custom
payload
where
we
did
the
ppk
trick
and
and
speaking
of
that
so
so
in
that
sense,
I
think
doing
this
in
the
standardized
ways
is
good
and
I
would
I
would
support
it.
B
I
would
like
to
maybe
see
the
ppk
hack
also
merge
into
this,
so
that
we
can
do
this
properly
with
this
method
and
then
maybe
in
the
future,
you
know
obsolete
that
ppk
auth
hack
for
those
who
don't
know
with
ppk,
you
basically
send
two
auth
payloads
differently
calculated
and
then,
but
but
with
this
draft
you
could
just
send
the
one
that
you
think
is.
B
A
Oh,
it's
still
going
in
that's
a
not
cheer,
but
I
think
one
of
the
things
we
would
probably
do
also.
We
could
actually
split
this
in
two
pieces,
meaning
one
to
negotiate
actual
authentication
algorithm.
The
other
one
is
the
problem
that
which
you
know,
methods
are
suitable
for
each
ca
and
and
having
the
linking
back
and
forth
with
the
certificate.
Payload
said
with
requests
and
so
on.
A
A
So
we'd
have
a
list
of
you
know,
supported
authentication
maker,
which
says
on
the
psk
signatures
and
and
rc,
and
so
on.
Whatever
formats
you
have,
but
the
list
of
you
know
suitable
agreement,
ids
would
be
inside
the
threats
with
requests,
meaning
that
we
actually
allocate
one
new,
circuitry
curse
type.
That
has
you
know
in
addition
to
having
to
hash
of
the
ca,
we
also
would
have-
and
you
know
a
list
of
oils
that
it's
you
know
by
this.
It
supports
or
something
like
that.
C
Okay,
anyone
else.
C
C
So
now
michael
rosberg
is
gonna.
Do
the
pitch
for
improvements
proposed
improvements
to
esp.
J
Hi
everybody,
so
let's
take
the
next
slide
already.
So
what
we
did
was
we
looked
at
esp
and
data
centers
and
we
come
into
a
couple
of
problems
and
we
had
two
major
issues
and
one
was
that
the
sequence
numbers
are
not
handled
in
esp
as
we
want
them
to
be
handled,
so
maybe
a
pretty
subjective
view.
But
that
gives
us
problems
with
parallelism
and
it
gives
us
problems
with
multicast
replay
protection,
which
we
see
in
data
centers
right
now,
and
it
also
gives
us
issues
with
qs.
J
There
are
a
couple
of
ways
around
that
right
now
being
discussed,
but
it
all
boils
down
to
the
problem
that
sequence
numbers
are
bound
to
an
spi
basically,
and
the
other
thing
that
we
had
was
a
well-known
problem
to
this
group
is
that
esp
trailers
forces
us
to
do
complex
protocol
handling.
So
if
we
have
fragments,
if
we
have
segments
and
maybe
alignment
issues,
then
this
trailer
comes
into
our
way
and
what
we
did
was
we.
J
We
exchanged
things
in
messed
with
esp
a
little,
and
what
I
want
to
do
now
is
to
give
you
a
short
explanation
of
what
we
did
with
it,
even
though
we
don't
know
yet
what
we
can
do
with
that.
So
what
we
currently
have,
we
have
an
implementation
of
it,
but
we
don't
know
if
that's
worth
a
new
protocol,
a
new
version,
a
different
mode,
different
yeah,
just
encapsulation
method,
next
piece.
J
So
what
we
did
was
we
kept
basically
the
spi
where
it
stays,
but
between
the
spi
and
the
sequence
number
we
introduce
another
field
of
basically
two
other
fields
and
they
indicate
which
window,
which
we
introduced,
multiple
windows
and
for
each
sender
or
if
you
have
one
sender,
that
can
also
introduce
different
windows
for
different
eqs
classes
and
maybe
for
different
cpu
cores
and
then
have
every
cpu
core
or
whatever
or
sender,
have
its
own
sequence
numbers
and
what
we
also
did
was
we
introduced
a
larger
sequence
number
field
to.
J
We
basically
send
all
with
the
whole
64
bit
of
sequence,
number
information
which
we
have
for
esn
anyways,
but
if
we
explicitly
send
them
with
every
packet,
we
don't
have
synchronization
problems,
especially
if
you
have.
If
we
were
talking
about
one
having
one
key
and
a
whole
data
center
and
large
multi-pass
groups,
then
we
had
this
synchronization
problem.
J
Furthermore,
we
shifted
the
icv
value
from
the
from
the
trailer
to
the
beginning
and
in
the
header,
which
allows
us
to
make
assumptions
for
an
example
that
the
sec
there
is
it's
always
present
in
the
first
segment
or
it's
always
present
in
the
first
fragment
and
the
it's
all
followed
by
the
encrypted
packet.
What
we
got
rid
of
is
the
whole
trailer.
J
That
means
the
padding
is
done
now,
implicitly
like
it
is
done
for
for
traffic
flow
confidentiality
anyways.
So
and
if,
as
long
as
you
do
tunnel
mode,
that's
not
a
problem.
If
you
did
something
else,
that's
a
different
point
of
discussion,
but
we
don't
want
to
do
that
here.
J
As
I
said,
and
it
allows
us
to
scale
over
more
cpu
cores
without
having
additional
things
done
in
the
group
product
or
in
the
key
management
protocol.
And
it
allows
us
to
do
multicast
replay
protection,
as
each
sender
can
just
use
its
own
sequence
number
window,
and
it
allows
us
also
to
do
replay
windows,
qs
class.
In
this
case
the
sender
just
uses
different
window
ids
for
different
qs
classes,
and
they
can
just
overtake
what
I
have
not
discussed
in
detail
here.
J
But
we
all
use
the
sender
id
the
window
nd
and
the
sequence
number
as
an
initialization
vector
to
the
encryption,
and
this
allows
us
to
do
implicit,
yeah,
implicit
in
implicit
iv,
and
allows
us
to
get
a
little
bit
more
performance
because
we
don't
don't
need
additional
authenticated
data
anymore.
J
Everything
anything
anything
changed
in
any
field
in
the
in
the
header
leads
to
a
decryption
or
failed
decryption.
Thus,
an
attacker
cannot
do
that
and
without
aad
we
can
faster
encrypt
things,
because
we
don't
need
an
additional
round,
for
example
in
gcm
and
well
we
had.
We
have
also
implicit
padding
so
now.
I
know
this
is
kind
of
a
large
change.
So
that's
why
I
wanted
to
discuss
it
before.
Just
writing.
Some
drafts
or
yeah
have
feedback
here
from
the
group.
J
What
we
intend
to
do
is
something
like
we
don't
want
to
replace
fully
esp
with
it,
but
have
it
somehow
somehow
negotiated
if
you're
running
it
in
a
data
center
or
so,
and
you
could
use
that
mode
which
is
tuned
to
having
fast
performance
implementations,
and
you
could
just
do
it
so
by
an
sbi
basis,
and
you
can
decide
in
a
for
example,
in
the
next
column,
if
you
encrypt
it
with
if
the
packet
was
encrypted
with
that
mode
or
just
normal
esp
next,
please,
and
this
just
to
show
you
how
much
performance
you
can
get
from
such
an
implementation.
J
So
this
is
just
a
measurement
we
have.
We
did
on
a
broadwell
cpu
and
it
shows
you
different
performance
figures
for
esp
vanilla,
esp
security
association
and
that's
our
approach,
which
we
call
vpe,
and
what
you
can
see
is
that
you
can
run
it
at
about
30
gigabit
per
second
lines:
70
gigabit
per
second
on
the
red
side,
so
on
the
unencrypted
site
and
have
pretty
much
high
performance
from
the
approach.
J
So
thanks
for
listening!
What
I'm
interested
in
is
feedback
from
you,
so
we
can
decide
on
how
to
incorporate
things
into
a
draft
or
if
we
can
should
just
yeah,
have
it
somewhere
yeah.
I
have
just
an
information
graph
for
an
example
or
just
that
things
are
not
a
good
idea.
Maybe
also
would
be
outcome.
C
Dropped
so
I'll
see
something
there's
already
a
live
discussion
going
on.
A
C
Something
now
whether
it's
a
good
idea,
that's
already
being
hashed
out
on
the
list
and
if
you
read
the
jabber
room
or
it's
also
in
the
mythical,
I
think
there's
quite
a
bit
of
discussion
right
now
and
yeah.
So
yeah
there's.
Definitely
there's
no
consensus
about
this.
But
there's
a
lot
of.
B
C
And
at
some
point
maybe
you'd
want
to
have
a
virtual
interim
about
it
if
there's
enough
interest.
So
anyone
still
want
to
comment
here.
C
C
Okay,
so
the
people
who
only
commented
in
the
jab
room
we'll
take
that
to
the
list
as
well.
Okay,
so
let's
go
with
the
next
slide.
C
So
christian
and
about
traffic
for
security
and
we're,
starting
with
the
presentation
about
the
thing
that
is
already
in
the
charter
and
being
worked
on.
H
Yeah
hi,
is
it
oh
good?
It
looks
like
my
audio
is
coming
through
hi,
I'm
christian
hopps
with
lavin
consulting,
and
this
is
an
update
right.
It
showed
on
the
status
slides.
This
was
an
individual
draft,
but
we
adopted
this
a
while
back.
So
it's
a
working
group
document
now
these
so
next
slide
please.
H
So
this
is
an
update
since
106.
we
didn't
meet
in
107.,
so
this
was
published
prior
to
107
back
in
march.
The
notable
changes
these
were.
Changes
were
asked
for
at
106
and
on
the
list
the
two
big
ones
were,
or
the
biggest
one
was
the
v2
I
I
had
had
used
transforms
and
paul,
and
some
others
said
this
is
a
silly
way
to
do
this
and
yeah.
They
were
right.
H
So
let's
go
to
the
next
slide,
so
we
switched
to
basically
to
enable
tf
iptfs.
We
use
a
notification,
it's
the
same
sort
of
method
as
the
transport
mode.
The
only
thing
the
thing
that's
different
there
is
that
we
have
we
added
a
required
flags
payload
to
the
notification.
H
If
the
required
flags
are
not
understood
or
or
they
are
or
supported,
the
tfs
mode
would
not
be
enabled
by
the
responder
or
the.
If
it's
the
initiator,
that's
getting
back
a
required
flags
field
that
it
doesn't
support.
It
would
then
delete
the
essay
so
which
is
following
the
basic
method
next
slide.
H
So
the
two
required
notification
flags
are
congestion
control,
whether
you
know
the
basically,
if
it's
set,
the
sender
is
asking
the
receiver
to
send
it
back
congestion,
control,
information,
periodically,
it
must
be
sent
and
if
the
so,
if
the
receiver
doesn't
support
sending
that
information,
it
would
then
not
not
set
up
tfs
the
don't
fragment
bit.
This
was
required
a
while
ago,
but
we're
just
continuing
to
bring
that
forward,
which
is,
if
the
sender,
the
sender,
the
notify
message
does
not
support
receiving
fragments.
H
So
next
slide
we
changed
the
because
we're
looking
at
doing
a
protocol
number.
We
wanted
to
make
it
as
generic
as
possible
so
that
we
could
really
not.
You
know,
have
any
sort
of
trouble
with
this.
So
we
used
basically
a
first
octet
subtype,
which
then
allows
basically
for
for
the
ipfs
protocol
number.
You
know
we
will
have
255
256
uses
of
different
header
formats
if
we
needed
them,
even
if
they
were
not
tfs.
H
So
with
that
change,
then
these
are
the
new
header
formats.
Subtype
zero
is
the
non-congestion
control
payload
format.
That's
a
type
0
reserved
bits
which
this
used
to
be
a
16-bit
flag
field.
Basically,
that
was
all
zeros
and
no
other
changes.
Next
slide.
H
Congestion
control,
payload
format
goes
to
subtype
one
and
that
did
have
a
flag,
which
is
that
whether
ec
bits
were
used
in
calculating
the
data
that
it's
returning
and
that
that's
the
p
flag,
the
rest
of
the
flag
bits
are
reserved
and
the
rest
of
the
header
stays.
The
same
looks
like
disliked,
so
we
had
a
couple
open
issues
and
the
comments
from
last
meeting
and
one
was
the
ip
protocol
number.
We
discussed
this
in
the
list
a
couple
times.
H
I
I
think
we've
done
done
discussing
it,
so
we're
just
waiting
for
the
chairs
to
forward
the
request.
We've
got
a
summary
there.
You
know.
Basically,
we
looked
at
using
what,
but
it
didn't
really
gain
us
anything.
We
still
needed
the
next
header
number,
so
we
just
were
burning
some
extra
bits
and
bandwidths.
H
So
the
what
we
agreed
on
was
to
you
know,
let's
start
an
early
allocation
process.
This
will
let
us
get
through
the
any
kind
of
issues
that
might
come
up
and
you
know
we
can
deal
with
them
so
that
it's
not
happening
at
the
very
end
of
the
process
and
even
if
we
did
run
into
some
problems,
which
we
really
don't
anticipate
that
you
know
once
we
justify
the
use.
H
But
if
we
did,
we
can
always
fall
back
to
overloading
an
ip
protocol
number,
but
this
really
isn't
where
we
want
to
start
right,
because
I
mean
there's
already
people
that
are
thinking
that
they
might
be
able
to
use
this
framing
outside
of
esp
and
the
minute
you
leave
esp.
Then
you
can't,
you
know
you
can't
just
use
an
overloaded
ip
protocol
number
anymore.
H
So
anyway,
there's
a
lot
of
ip
protocol
numbers.
It
is
a.
It
is
a
you
know,
an
8-bit
field,
but
it's
more
than
half
are
left
and
a
bunch
can
be
deprecated
so
and
yeah.
Well,
let
me
come
back
to
that,
so
the
tr,
the
other,
the
other
major
thing,
was
transport
mode,
and
we
discussed
this
on
the
list
and
decided
that
this
could
be
done
in
a
separate
document.
There
are
there
are
some
real?
H
You
know
it
depends
on
how
far
we
want
to
go
with
supporting
transport
mode
if
it's
just
to
support
gre
the
cu.
You
know
the
cisco
sort
of
gre
with
transport
mode
tunnel.
It's
fairly
easy
to
do
this,
but
if
you
want
to
get
any
more
generic,
you
have
to
start
talking
about
what
ip
fields
to
carry
because
you're
you
know
you're
carrying
multiple
iv
packets
in
each
in
each
outer
ip,
certainly
because
you'll
be
creating
like
pad
packets
right.
So
what
what
ip
fields
do
they
carry?
H
Do
they
carry
the
last
ones
anyway?
All
of
that
sort
of
stuff
can
be
discussed
in
a
separate
document,
and
you
know
that
we
can
move
the
simpler
method,
the
tunnel
mode
forward,
so
that
seemed
to
go
fine.
Everyone
just
wanted
to
make
sure
that
we,
you
know
that
it
doesn't
conflict
with
the
tunnel
mode
and
basically
you
know,
since
we
have
the
subtypes,
we
also
have
flags
and
even
the
mode
itself
of
going
transport
mode
can
differentiate
any
header
changes
we
might
need
in
the
future.
H
So
anyway,
coming
back
thro,
throwing
it
back
to
ip
number.
We
do
have
the
a.d
in
the
room
and
the
chairs
are
here,
so
I'm
wondering
if
we
can,
could
we
make
it?
Can
we
make
that
official,
maybe
I'll,
leave
that
question
to
the
very
end
of
the
presentation,
though,
let's
go
to
the
next
slide,
the
other.
The
other
issues
that
we
were
looking
at
was
possibly
doing
an
alignment.
H
So
I
went
and
looked
at
this
while
I
was
I've
been
doing
working
on
this
a
reference
implementation
of
this
and
what
the
cons
are,
basically
that
it
complicates
the
end
cap
dcap
to
do
you
know,
alignment
between
the
data
blocks
or
you
know
the
inner
packets
in
the
payload.
It
also
wastes
bandwidth
the
pro
the
reason
to
do
it
was
basically
to
make
it.
You
know
less
rigorous
white
box
code
to
work
like
asics.
H
H
You
know
that
had
to
be
handled
in
the
kernel,
but
in
any
case,
what
you
end
up
finding
is
that
even
when
you're
doing
chained
buffers,
even
when
you're
doing
chain
buffers,
you
end
up
having
to
parse
the
packet
to
find
you
know,
you
have
to
parse
the
packet
to
find
the
header
and
you're
you're,
always
doing
a
copy
out
of
the
packet
header
just
because
you've
already
cash
loaded
it
right.
So
when
I
went
to
find
the
header
I've
already
loaded,
the
first
64
bytes
of
the
packet
into
the
cache
anyway.
H
H
So
basically
the
the
just
seems
like
we
don't
need
this
and
it
keeps
things
simple.
The
other
thing
is
that
we
we
are
we're
still
planning
to.
We've
got
a
vpp
implementation
that
we'll
be
publishing
this
year,
open
source
with
congestion
control
and
the
ikev2
changes,
and
we're
also
very
interested
in
working
with
other
people
and
collaborating
on
other
implementations.
Are
interoperability
testing
next
slide.
H
So
we're
wondering
if
there's
any
more
comments
and
if
we're
ready
to
go
to
what
working
last
call.
C
Okay,
since
no
one's
at
the
queue
I'll
speak
first,
so
the
thing
that
concerns
me
about
this
document
is
that
I
don't
think
it
got
a
lot
of
review
and
yeah
working
group
last
call
is
one
way
to
get
it,
but
another
thing
I
think
we
might
do
is
ask
for
a
transport
directorate
early
transport
directorate
for
you,
because
they
usually
have
stuff
to
say
about
documents
like
this,
and
so,
if
anybody
has
another
idea
of
how
we
can
get
more
review
for
this,
that's
that
would
also
be
great,
because
yeah
working
with
last
call
is
one
way,
but
I
don't
know
if
it's
the
best
way.
A
This
is,
I
have
been
you
know.
I
haven't
actually
been
following
this
discussion
that
much
except
for
the
protocol
number,
and
I
was
there
when
the
vesp
protocol
number
was
allocated,
and
I
think
you
have
a
very
or
or
it
might
be,
that
the
change
protocols
have
changed
slightly
heavily,
but
at
that
point
it
was
really
really
hard
to
get
the
protocol
number
of
yp.
A
We
have
to
fight
it,
because
why
do
you
need
two?
Are
you
already
have
two?
Why
do
you
need
third
one,
and
that
was
one
of
the
problems
we
had
at
that
point?
It
might
have
changed
the
the
question
I
have
there
is
that
the
how
many
people
have
accidentally
read
these
documents?
So
if
people
could
actually,
you
know
just
type
into
their
job
or
you
know,
you
know
if
you
have
read
it
so
so
we
can
actually
see
if
there
is.
A
H
A
Right,
yeah
yeah,
so
we
seem
to
be
having
about
five
people
who
have
said
that
they
have
read
the
draft.
Okay,
do
you
have
somebody
in
the
cube.
K
Hear
him
lou
hi,
blue
burger,
I
was
just
gonna
say
I
don't
think
getting
a
protocol
number
is
such
a
big
deal.
I
went
through
the
protocol
list
and
there's
quite
a
number
that
are
really
old
and
could
be
deprecated.
I
actually
talked
to
someone
else
who
has
some
protocol
numbers
assigned
to
them.
K
A
D
I
am
happy
to
send
something
along,
so
if
we
can
get
a
fully
filled
out
protocol
allocation
or
so
if
we
can
get
a
fully
filled
out
registration
template,
I'm
happy
to
send
that,
along
to
the
right
place,.
H
Well
and
thankfully
I
sent
that
to
the
to
the
chairs,
I'm
trying
to
cover
all
the
bases,
so
I
went
to
the
I
went
to
the
protocol
request,
form
and
filled
out
all
this
stuff,
so
yeah
yeah.
The
process
is
supposed
to.
D
Be
that
the
the
request
is
made
of
the
chairs
and
the
chairs
are
supposed
to
send
us
the
ad
and
then
the
ad
will
approve
it
right
and
get.
C
Okay,
so
any
objections
there
for
early
transport
directorate
review
because,
as
far
as
I
remember-
and
they
have
six
months
ago-
it's
pretty
complicated
things,
but
a
lot
of
moving
parts.
C
So,
okay,
so
with
no
objections
I'll
make
the
request.
Okay!
So
now
we're
just
one
minute
behind
schedule,
so
we
can
move
to
the
other
presentation
about
something
that
is
not
currently
working
with
him.
H
Correct
so
this
is
in
other
working
groups.
Everyone's
favorite
past
time
is
talk
about
yang,
so
a
colleague
of
mine,
don
paddock,
has
is
also
in
the
room
to
take
questions
too.
We
would
put
together
a
yang
model
for
to
support
management
of
the
iptfs
next
slide.
H
So
basically,
we
have
two
things:
configuration
and
operational
data.
The
configuration
is
whether
to
turn
on
or
not,
congestion,
control,
the
fixed
packet
size
or
you
know
so,
there's
two
ways
to
specify
that
either
just
a
fixed
size
or
to
use
path,
mtu
or
the
combination
where
you
could
say
like,
for
example,
we
want
1500
octet
but
use
path
mtu
to
lo,
so
we
could
lower
it.
H
The
other
configuration
item
is
the
bit
rate
to
send
at
so
you
know,
there's
two
ways
we
found
it
was
actually
useful,
more
useful
to
specify
the
l2
bit
rate,
because
you
know,
if
you
know
I
want
to
use.
You
know,
100
of
this
ethernet
or
10
of
this
ethernet
link
bandwidth.
People
just
tend
to
think
more
of
that
right.
I've
got
a
10,
gig
or
100
gig
link,
and
then
you
know
so.
Obviously
the
little
gray
box
is
saying
you
know
the
packet
transmission
frequencies
of
that
rate
divided
by
package
size.
H
The
last
configuration
is
to
whether
to
allow
fragmentation
or
not
of
the
inner
data
box
next
slide.
So
this
is
what
that
looks
like
we
we're
I'll
get
to
the
model
that
we're
augmenting,
but
basically
this
model
has
an
ike
and
a
iklis
entry.
So
for
ike
mode
we
augment
the
connection
entry
under
the
sa
configuration,
and
this
is
just
the
yang
tree
right.
H
So
you
can
see
the
congestion
control
boolean,
the
packet
size,
the
choice
of
a
tunnel
rate
either
l2
or
l3,
and
they
don't
fragment
and
then
likewise
we
the
the
way
yang
works.
Is
you
have
you
know
the
requested
config?
So
that's
what
the
upper
one
is,
the
lower
one
is
what
it's
selected-
and
this
is.
H
This
is
sort
of
useful,
for
example,
think
about
how
if
you
set
use
path
mtu,
but
you
didn't
specify
an
outer
packet
size,
you
would
be
able
to
look
up
in
the
operational
state
and
see
outer
packet
size,
and
that
would
actually
be
the
size
that
the
cathemteu
had
selected
next
slide.
H
This
is
just
the
same
exact
config,
but
it's
in
this
case
it's
in
the
iklis
module,
and
so
it's
under
the
spd
entry
that,
by
the
way
that
this
is
actually
a
grouping
because
the
connection
entry
used
spd
entry.
So
it
is
the
the
same,
we're
augmenting
the
same
grouping
basically
and
ike
and
iquis
in
in
this
case.
We
augment
these
security
association
database
entry,
the
sa
basically
for
the
operational
config,
so
that
that's
what
I
noted
there
it's
different
from
ike,
because
it's
now
under
the
sad
entry
next
slide.
H
So
the
operational
statistics-
these
are
pretty
straightforward:
we've
got
the
outer
ipsec
counters,
which
is
basically
txrx,
drops
and
error
counts,
and
then
we've
got
more
detail
with
the
inner
packets.
We
track
the
number
of
inner
packets
and
octets
the
amount
of
padding
that
was
added.
So
we
we
break
the
padding
up
into
two
different
counters.
H
One
is
the
padding
that
we
added
to
so,
in
other
words,
a
iptfs
packet
that
included
user
traffic,
but
also
padding
that's
extra
pad,
but
then
there's
also
times
where
you're
just
sending
an
an
entire
ptfs
payload
of
a
pad.
So
that's
what's
counted
by
the
all
pad
and
the
same
same
counters
for
receive
the
error
would
be
like
a
framing
format
and
the
mist
is
where
you're,
not
you
know,
you've
seen
a
sequence
number
miss
incomplete
is
similar.
It's
where
you
might
have
missed.
H
H
So
this
is
this
is
just
those
stats
underneath
the
in
this
case
the
ike.
It
goes
underneath.
Child
essay
info
and
then
the
next
slide,
you'll
see
it
in
the
under
the
sad
entry
in
the
next
slide.
H
Oh,
we
did
sorry
so
now
here's
the
issue.
So
the
the
thing
is:
there's
only
one
active,
ipsec
yang
model
out
there
and
it's
being
defined
by
i2
nsf
and,
as
you
can
see
the
name
sdn,
it's
the
only
active,
published
ipsec
game
model,
so
we
used
it.
It
is
very
far
along
in
the
process,
it's
in
the
iesg
publication,
so
there
it's
still
it's
still
in
that
in
that
process.
H
H
Not
moving
forward
next
slide,
please
so
the
issues
with
the
sdn
nikesec
model
it.
Basically
it
provides
a
ike,
an
iklas
operation.
It
also
uses
an
ike
common,
so
there's
three
modules
I
common
used
by
both
of
the
ike
and
the
iqs
modules,
the
ike
module.
This
is
one
of
the
issues
we
ran
into.
H
It
doesn't
include
a
security
association
database
and
I
asked
the
authors
and
the
reason
they
said
was
they
don't
care
because
they,
the
the
sdn
mod
model,
is
set
up
to
be
controlled
by
a
centralized
controller
and
all
they
care
is
that
they
they
told
like
what
to
do
and
that
bike
did
it
and
it
has
a
child
essay
info
leaf.
That
holds
the
connection.
H
Connections,
essay
related
information,
but
you
know
as
you
as
it
everybody
in
the
room
probably
knows
you
know,
you've
got
a
connection
and
it's
gonna
cycle
through
child
assays
and
stuff
like
that
right,
but
also
it's
also
missing
the
essay
information
right
it
has.
My
slide
is
a
little
bit
wrong
it
it.
It
also
includes
not
just
lifetime
values,
but
it
includes
the
like
esp
encapsulation
type
right,
like
whether
there's
a
nat
or
udp,
and
a
few
other
things
like
that.
What
it
doesn't
include
is
the
selected
transforms
right.
H
So
you
know
you
might
be
specifying
a
bunch
of
different
possible
esp
algorithms
encryption,
algorithms,
but
it
doesn't.
It
doesn't
tell
you
which
one
it's
selected,
also
both
of
the
models:
don't
have
any
counters.
You
know
on
either
it
you
could
so
yeah.
I
think
the
iclist
might
have
some
counters
read-only
state
counters
for
the
lifetime
value,
but
the
that
information
is
just
that's
not
provided
in
the
in
the
child
essay
info.
It
you,
you
can
specify
the
configuration,
but
it
doesn't
keep
it
running
account.
H
Let's
go
to
the
next
slide,
so
we
can
easily
modify
this
model,
but
in
two
ways
we
could
move
the
sad
into
the
common
out
of
the
iklis,
because,
basically
just
recognizing
the
fact
that
you
know
ipsec's
implementations
have
a
sad
in
a
spd,
at
least
logically,
whether
they're
running
ike
or
not,
and
if
we
did
that,
then
under
child,
let's
say
info,
you
could
actually
then
track
the
sa
that
the
I
kid
created
right.
So
you
would
just
have
a
reference
to
the
s
say
the
sab
likewise.
H
Otherwise,
you
know
late
in
the
game:
it's
pretty
easy
to
change
like
the
module
name.
So
if
you
noticed
earlier
the
module
names
for
these
sdn
models,
don't
include
the
letters
sdn
or
i2
nsf,
right,
they
just
say
ipsec,
common
and
ipsec
like
so.
If
they're
not
going
to
make
a
few
adjustments
to
be
usable
as
a
base
model,
I
think
that
we
should
ask
them
to
add
sdn
to
their
module
name
so
that
they
don't
look
like
they're
representing
like
in
general,
so
the
next
slide.
H
I
got
the
an
example
of
how
to
change
so
the
the
change
that
we're
talking
about
here
is
that
iklis
basically
has
an
spd
and
an
sad
and
all
we're
really
talking
about
is
just
moving
it
to
the
common
and
then
the
iklis
module
would
just
be
the
notifications.
H
I
don't
want
to
get
too
much
into
how
the
sdn
model
works,
but
those
notifications
are
critical
to
running
iclicks
right.
It
allows
the
acquire
to
be
sent
from
the
receiving
ipsec
router
to
the
sdn
controller,
so
those
stay
the
same,
but
just
move
just
move
the
state
into
the
common
model.
So
it's
shared
by
the
icann
dyclis
next
slide.
I
think
there's
one
other
change.
So
what
this
means
is
that
in
the
like,
in
the
existing
ike
mod
model,
you
just
change
the
hard.
H
H
So
if
the,
if
we're
able
to
make
those
changes,
then
iptfs
just
augments
the
common
spd
entry,
and
previously
we
had
to
do
this
in
two
places
we,
the
operational
config
augments,
the
one
sa
sa
entry
instead
of
two
places
and
the
operational
statistics
modify
the
sad
entry.
This
was
not
available
under
ike,
but
now
would
be
so.
It
would
cover
both
cases
and
we
would
continue
to
augment
the
child
essay
info,
because
this
would
carry
aggregate
statistics
right.
H
So
you
know
the
your
per
essay
statistics
are
are
gonna
need
to
be
summed
up
over
time
for
the
connection
next
slide?
Please
so
that's
it.
So
the
the
question
that
we
have
for
the
group
is:
what
should
we
do,
and
I
I
will
note,
is
the
shepherd
for
the
sdn
documents
so
curious
about
your
opinion.
In
particular,
I
mean:
do
we
think
it's
too
late,
it's
a
very
small
change
and
it
and
then
they
would
they
were
actually
it's.
H
A
lot
of
work
was
done
in
this
and
it's
good
work
right
and
they
could
easily
serve
as
base
models
that
we
could
take
forward.
H
C
Well,
yeah,
the.
On
the
other
hand,
the
i2nsf
working
group
is
does
nothing
but
the
end
models,
and
but
it's
doesn't
have
any
more
energy
for
anything.
C
And
I
would
guess
that
the
right
thing
to
do
is
to
talk
to
the
authors
and
see,
if
they're
open,
to
add
the
sad
to
the
commoner
for
in
their
document
and
yeah.
H
They
seem
not
receptive
to
that,
and
I
understand
why
right
they've
pushed
through
to
a
certain
part
of
the
process.
H
Maybe
you
know
I
I
mean
it,
but
the
the
one
thing
that
that's
different,
I
guess
here
is
that
is
that
this
is
the
working
group
that
actually
understands
the
change
right.
The
conceptual
change
that
moving
the
sad
from
an
iklis
into
the
common,
really
isn't
a
big
change
right,
you're,
just
you're
moving
what
module
it's
under
and
the
only
thing
we're
really
logically
saying
is
that
all
ipsec
has
a
sad
versus
just
iklas
right
right,
but
for
the.
C
For
the
use
case,
that
interests,
itunes,
f
or
a
central
controller
configuring
a
lot
of
like
or
ipsec
gateways,
and
they
don't
really
need
it
so.
A
A
So
it's
because
of
this
that
they
actually
want
to
keep
that
they
probably
want
to
keep
it
in
where
they,
where
they
have
now
it's
so
it's
clear
for
them
that
they
only
fill
it
in
and
use
that
to
configure
ipsec
when
they
are
in
the
eye
class
mode
and
if
it's
in
there,
yes,
both
of
them
have
of
course
essays,
but
when
you
are
using
ike
to
configure
the
essays
or
create
the
essays,
you
are
not
supposed
to
write
the
young
model
stuff
and
and
create
the
essays
yourself.
H
Correct
so
I
I'm
on
a
yang
doctor
too,
so
the
the
problem
is
that
that's
not
actually
what
yang
is
gonna
do
and
that's
not
what
they're
specifying
right,
because
we
have
something
called
ndma
models
anyway.
The
point
is
when
you
configure
something
it's
also
operational
state.
So
you
know
just
saying
that
yeah,
you
know
they're
saying
that
like
yeah,
we
just
want
to
configure
ike
right,
but
you
know
not
not
having
it.
H
Just
because
you
didn't
model,
it
doesn't
mean
the
information
isn't
there
and
the
other
thing
is
that
you
they
they
could
easily
say.
Okay,
you
cannot
configure
an
s,
a
static
sa
if
you're
running
an
ike
mode,
but
these
are
like
yang
isms
and
you
know
I'm
not.
I
I'm
not
sure
if
we
can
make
the
change,
but
I
also
think
that
maybe
we
can
you
know
I
don't
know
if
we
can
get
some
yang
experts
to
say
hey,
you
can
make
this
change.
H
You
don't
really
need
to
send
this
back
through
an
entire
working
group
process.
Again
right
I
mean
that
that's
kind
of
what
I
was
hoping
I
I
wouldn't
want
them
to
have
to
kick
this
back
and
run
the
process
all
over
again.
I
I,
I
think
that
you
know
the
the
reason
to
make.
The
change
is
that,
as
you
might
have
seen,
with
yang
versioning,
it's
it's
it's
that
it's
not
backwards
compatible.
So
if
we
ever
want
to
reuse
this,
we
can't
right.
We
have
to
issue
a
totally
new
model.
H
A
A
That
young
world
be
more
useful.
I
would
be
very
happy
about
that,
and
you
know
I
don't
care
if
it
comes
from,
I
do
nfs
or
if
it
comes
for
ips
a
kma,
but
if
it's
a,
if
it's,
if
it's
useful
for
more
purposes,
I
think
it
would
be
very
useful
to
have
that
kind
of
thing.
H
H
We
are
completely
willing
to
help
on
that
work.
We
would
really
want
to
be
using
the
work
they
did,
though,
right
and
not
starting
afresh,
so
that
I
mean
that's
just
that's.
Why
we're
bringing
this
up
is.
It
just
seems
like
such
a
waste.
You
know
to
to
waste
all
the
effort
to
you
know,
re-run
the
entire
process
for
something
they've
already
done,
but
maybe
that's
what
we
have
to
do
and
we
just
copy
their
exact
modules.
H
The
problem
is,
when
you
think
about
this
from
an
operator
standpoint
having
two
different
mod
modules
that
are
almost
identical,
but
aren't
right,
it's
just
it's
just
for
operators.
This
is
not
friendly,
for
you
know,
ietf
process,
maybe
it's
friendly
and
maybe
for
vendors,
that's
friendly,
who
only
want
to
do
like
an
iot
device
or
something,
but
you
know
for
for
operators
that
are
actually
running
this
stuff.
It's
not
from
to
have
multiple
modules
that
are
almost
identical.
D
D
Yes
has
been
to
no,
we
had
a
little
discussion
in
the
jabber
that
the
iq
and
sf
document
may
benefit
from
having
a
yang
doctor
review.
At
this
point,
and
depending
on
how
that
comes
back,
they
may
need
to
make
significant
changes
anyway.
C
Perhaps
ben
it's
already
had
the
young
doctor's
review.
D
H
K
I
I
wasn't
going
to
get
there,
but
it
is
the
the
data
tracker's
page
says
that
it
was
had
a
yang
doctor
early
review,
not
a
final
review
and
it's
not
an
early
version
and
that
that
one
of
the
comments
in
there
from
martin
did
the
review.
I
think
it's
comment
because
we
didn't
follow
the
guidelines
for
yang
models.
One
of
the
things
that
will
happen
is
it
does.
That
is
it'll,
make
sure
to
address
all
the
nmda
issues.
K
Myself,
recuse
myself
yeah,
but
according
to
the
data
tracker,
it
needs
another
review.
Just
you
know
again,
just
particularly
because
the
results
of
the
early
review
was
that
the
model
wasn't
ready.
C
Okay,
so
I
don't
have
a
problem
with
christine
doing
the
review
yeah,
so
we've
got
another
one
in
the
queue
valerie.
F
Well,
I'd
like
to
draw
an
attention
to
git
to
drop
and
the
written
job
had
received
quite
a
lot
of
changes
and
it
could
well
creation
with
well.
We
decided
with
discussion
with
brian
that
time
we
decided
to
make
it
more
along
the
like
view
and
not
another
protocol.
So
now
it
is
more
an
extension,
a
large
extension
from
the
ancients.
F
And
another
point:
I
think
that
dropped
intermediate
exchange
is
very
long
for
it's
about
one
year
without
any
changes,
and
I
think
that
the
people
people
has
implemented
it.
So
it's
probably
it's
close
to
working
group
last
goal,
and
so
people.
E
F
C
Okay,
any
other
business.
B
Hi,
so
just
quick
one
comment
on
labeled
ipsec:
we
are
still
working
on
implementing
it,
so
definitely
there's
still
interest,
we
just
didn't
get
to
it,
and
then
there
there's
also
the
graveyard
draft,
which
we
haven't
really
talked
about.
Much
hasn't
seen
that
many
changes
the
changes
that
people
requested
were
put
in.
So
this
is
a
question
to
the
chairs
about
what
to
do
with
it.
Are
we
going
for
adoption?
Are
we
going
to
drop
it.
A
A
It
would
be
good
idea
to
probably
continue
working
on
that,
because
I
think
it
would
be
useful
to
have
a
document
to
say
something
about
that,
but
there's
also
a
couple
of
other,
and
we
have.
We
know
that
there's
a
couple
of
drafts
that
are
ready
for
the
lasting
last
call
right.
A
very
good
last
call
that
we
should
be
starting
to
get
out,
and
so
I
think
we
need
to
take
this
all
over
to
the
list.
A
So
if
people
would
set
the
lim
reminders
to
the
list
and
saying
that
okay,
these
documents
are
ready
and
should
be
going
to
the
working
club
last
call,
so
we
can
start
it
and
for
the
graveyard
document.
I
think
you
should
talk
with
ad
first
and
you
know
discuss
whether
he
wants
to,
but
whether
he
digs
it
it's
actually
better
to
have
it.
That's
a
as
you
know,
80
sponsored
or
on
working
group
document,
because
I
think
the
problem
with
working
group
document
is
always
a
little
bit.
A
A
So
so,
if
you
have
any
other
business,
I
think
you
should
take
them
to
the
iraqi
group
list
and
I
think-
and
I
think
it
would
be
very.
A
So
so
I
think
it
would
be
also
very
good
to
have
you
know,
interrupt
or
inter
meeting
about
the
esp
stuff,
because
I
think
there
is
going
to
be
lots
of
discussion
about
that.
But
it's
it
was.
I
realized
that
it's
going
to
be
taking
about
an
hour
or
so
to
discuss
that.
So
that's
why
I
think
it
we
got
it
short
here
and
I
think
it
would
be
better
to
have
a
inter
meeting
somewhere
to
discuss
only
that
or
something
like
that
today
was
just
the
pitch
medium.
A
C
Okay,
so
we've
got
a
bunch
of
things
to
do
so
with
that,
I
think
I
can
click
the
terminate
meeting
button
or
just
wait
for
mitako
to
shut
us
down
in
five
minutes.