►
From YouTube: IETF93-I2RS-20150721-1740
Description
I2RS meeting session at IETF93
2015/07/21 1740
B
A
F
A
B
B
C
Good
afternoon,
this
is
our
last
session
before
the
social,
so
we'll
try
to
be
prompt
and
get
you
out
on
time
to
enjoy
either
the
social
or
some
fun
out
in
Prague.
This
is
the
note.
Well,
please
note,
take
your
time.
The
slides
are
online.
Please
read
it.
This
is
an
ITF
session
and
guard
and
we
operate
under
the
note
well
constraints.
Our
agenda
for
today
is
the
t's
topology
report.
Pravana.
Are
you
in
the
room?
C
C
Daniel
has
our
truest
environmental
security.
Now
environmental
security
is
specific,
for
are
the
people
who
are
in
net
Kumpf,
not
a
net
comp
protocol
issue.
It
is
simply
the
security
environment.
One
of
the
feedback
pieces
we
got
on
the
architecture
is,
we
didn't
necessarily
consider
the
environment
that
I
r2s
is
working
in
and
that
it
might
be
different
and
we
needed
to
consider
these
things
for
the
security
people
to
be
able
to
evaluate
the
ir
2
s
protocol.
C
C
So
we
met
with
the
t's
key
members
of
the
teams
working
group
in
a
session
last
night.
They
were
kind
enough
to
meet
with
us
after
all
the
other
sessions
at
twenty
eight
o'clock
at
night,
and
we
looked
at
the
generic
through
polity
metal
and
what
we
just
cited
agreed
is
that
the
TE
topology
will
augment
the
generic
dupatta
network
topology
as
a
full
stack.
It
will
augment
the
general
topology
model
and
that
in
the
l3
topology,
the
TE
topology
doesn't
have
to
be
two
congruent
with
the
routing
topology.
C
You
may
have
a
te
topology,
which
is
in
a
different
set
of
topologies
to
cater
to
where
the
congruence
does
exist.
The
topology
elements
in
the
l3
topology
will
reference
corresponding
that
way.
If
you
pull
a
full
topology
model,
you
can
see
whether
it's
corresponding
in
where
it's
different.
The
same
thing
will
happen
at
l2
and
it
will
reference
it
that
way.
C
You
can
know
your
whole
kepala
g
model
for
layer
0
through
service
layer
in
the
generic
way,
and
you
can
know
the
full
apology
database
in
te,
and
you
will
know
where
they
intersect
I,
think
that
will
give
us
great
information
about
the
network
for
the
programming
interface
and
again
t
1
the
0
1
2
apology,
the
T.
Each
apology
is
an
abstract
of
the
data
plane
and
what
will
happen
is
the
l1
and
l2
topologies.
There
were
augmented
Leon
who
has
been
doing
all
the
I
to
RS.
C
C
G
G
So
my
update
is
also
really
short,
so,
yes,
they
are
tool.
So
there
are
two
models:
two
drafts
and
basically
one
for
the
genuine
generic
and
metric
apology
model,
the
other
father
layer,
three
network,
apology
model
and
be
nude
new
birds
of
the
graphs
have
been
posted
since
the
last
time.
Often
our
working
group
drafts
and
the
updates
are
key,
very
minor,
the
generic
model.
They
are
just
some
very
small
editorial
updates.
G
I
G
Network
topology
model
for
an
earlier
version.
It
had
not
been
tracked
yet
which
basically
needed
to
make
sure
that
basically,
we
have
the
augmentation
and
there
and
the
condition
and
support
they
express
correctly
and
also
that's
the
other
change,
also
in
relationship
to
the
teeth.
These
discussions
of
all
the
all
the
te
references
have
been
have
been
removed.
So
this
is
now
hands
completely
separately
in
the
t-strap.
G
So
this
baby
just
shows
again
the
high
level
data
model
architecture,
there's
a
little
bit
argument
over
the
diagram
that
is
in
the
in
the
draft
itself.
So
we
have
the
abstract
network
and
abject
apology
model.
We
then,
basically
the
layer
on
layer,
2,
layer,
3,
topology
models
of
their
respective
draft,
sir
derived
from
them,
and
the
service
topology
model
as
well,
and
also
the
T
topology.
I
B
G
J
Okay,
brief
update
of
the
layer,
2
topology
Yamato.
It
was
a
adopted
as
a
working
group
document
and
support
for
the
data
sea
layer.
Two
technologies
has
been
added
to
version
01
also,
we
add
in
a
notification
in
this
version,
so
this
is
odd
updating
this
new
version
and
the
way
we
would
like
to
listen
more
reviews
to
improve
this
model
and
draft
and
welcome
to
making
contributions
to
this
work.
Thank
you
any.
I
Hi
everyone,
my
name-
is
Jen
from
hallway
and
presenting
the
layer
12
power
to
take
a
modo
on
so
actually
I'm,
just
recapping.
What
switch
is
set
in
a
bit
more
detail,
a
process
that,
as
some
of
you
have
noticed,
does
not
update
on
a
layer,
1
topology
model
but
I'm
actually
have
a
local
copy.
I,
augmented
our
generic
network,
topology
model
s,
Alex,
Alex,
I've
shows
and
I
narrow
down
the
scope
to
the
ODU
layer,
which
is
the
TDM
switching
layer.
I
As
for
the
layer,
1
layer
0,
which
is
the
numba
switchin,
it
will
be
covered
in
separate
jobs.
So
if
we
discussed
on
Mount
monday
nights
that
I
may
go
for
the
layer,
1
topology
is
going
to
augment
from
te
valla
moments.
There
are
issues
I
need
to
work
out
with
stub
a
tee
topology
draft
authors
and
also
as
like
Alex,
and
already
mentioned,
that
the
t
is
going
to
augment
from
generic,
so
I
need
to
make
a,
but
that
happened
for
people.
Oh
I
can
actually
open
from
the
teet
apology.
I
I
personally
think
that
the
I
tries
making
the
enabler
capability
to
many
pay
the
topology.
So
that's
why,
after
the
layer,
1
suppose
here,
but
in
terms
of
the
people
who
knows
they
one
layer
0
is
below
CCC
camp.
So
we
agree
that
it
is
a
scam.
It's
a
better
place
for
this
work,
so
in
the
next
version,
I
expect
that
I
will
will
move
it
to
that
working
group.
That's
pretty
much
it!
Thank
you.
Do.
C
C
C
C
Okay,
I
think
we're
done
with
that.
Thank
you.
You
all
make
it
to
have
an
easier
time,
I'm
going
to
go
to
the
draft
that
I've
been
holding.
First
of
all,
it's
the
service
topology.
One
thing
when
we
discussed
lies,
was
there
a
question?
First
before
we
go?
Oh
you're,
the
mic,
fixing,
ok,
so
the
service
topology
is
one
of
those
things.
E
C
Front
of
Mike
as
well
so
as
the
chair
I
took
on
the
topology
service,
topology
draft
to
try
to
get
a
rough
area
going,
I
am
looking
Michael
Lang
and
several
other
people
have
been
helping
me,
but
we've
had
to
make
several
tries,
because
this
whole
area
of
how
a
service
layer
sits
on
top
of
layer.
3
is
new
work,
so
we've
had
several
price.
Try
one
was
let's
try
a
high
level
and
then
try
to
push
the
envelope
by
doing
an
SSC
draft
to
link
to
the
high
model
for
a
femoral
state.
C
Well,
we
got
lots
of
feedback
from
the
FSC
chairs
that
we
didn't
quite
do
it
right.
So
the
second
try
is
what
you
see
in
the
repository
right
now,
where
we're
at
a
very
high
generic
level,
and
we've
got
some
general
agreement
in
the
last
interim
for
my
dress
that
this
might
be
a
good
idea.
Now
we're
still
looking
for
people
who
feel
like
they
would
like
to
work
on
this,
we're
still
trying
to
form
a
design
team.
C
The
design
teams
we
had
met
made
some
good
forward
progress,
we've
taken
it
back
to
the
working
group
and
then
we
need
to
keep
going
so
if
you're
interested
in
the
service
model,
please
let
us
know
now
I'm
going
to
give
a
brief
example
of
what
this
generic
topology
is.
But
I
will
start
with
the
fact.
Our
discussion
with
the
tease
people
last
night
showed
we
still
had
flaws.
Now
the
tease
people
are
a
full
layer,
sack
for
TE,
so
they're
thinking
about
some
of
this.
Why
don't
you
go
ahead
to
the
next
slide?
C
This
followed
Alexander's
methodology
and
it's
not
in
Jeff's
recommended
format.
So
I'll
apologize
right
now
it
may
be
an
eye
chart
to
read,
but
essentially
we
have
a
network
topology
and
what
we've
added
is
an
ID
and
account
to
make
sure
we
know
how
many
nodes
are
in
a
service,
topology
and
nodes.
Is
that
the
service
layer
look
at
the
world?
Okay,
keep
going.
Thank
you
then
you
may
have
excuse
me.
That's
on
the
network
topologies.
We
then
had
the
idea
that
you
might
have
a
service
type.
C
Maybe
it's
an
l2
service,
no
baby,
it's
an
l-3
service
node.
You
might
have
a
next
hop
and
you
would
have
extensions
for
specific
implementations
for
l2
or
l3
VPN.
To
add
information
go
to
the
next
slide.
So
then
we
have
a
link
where
you
might
have
a
metric
go
ahead
and
then
you
have
a
termination
point
where
you
have
an
identified
air
for
a
network,
an
OTP
now.
Some
of
this
is
where
we
have
a
question
of.
C
Is
this
how
you
link
a
TP
to
an
IP
service
node,
so
we'd
look
for
more
feedback
and
that's
it
for
our
update
for
service
topologies.
We
will
be
having
interims
to
discuss
this
point,
so
we
can
make
more
rapid
progress
to
report.
Our
rapid
progress
from
the
design,
team
and
I
want
to
thank
all
of
the
design
team,
Genghis
and
all
the
other
people
that
we
work
with
to
help
us.
Ok,
that's
it
for
the
topologies.
Are
there
any
questions
for
the
topology
authors?
F
Eco
briskin
agua,
so
don
Bogdanovich.
He
actually
had
a
very
useful.
A
draft
present
on
netconf
I
believe
where
he
has
like
a
description
of
classification
of
the
various
topologies
and
and
models
I'm,
sorry,
whereas
models
and
how
they
basically
interconnect
with
each
other,
who
uses
whom,
whose
client
who
is
provided
self
again
so
I,
suggested
to
it.
Topology
model
as
well
to
his
classification
and
I
also
suggest
to
get
the
service
topology
model,
and
if
we
would
see
basically
not
just
layering
and
over
an
underlay
and
also
like
a
client-server
relationship.
C
K
K
Those
are
the
list
of
Arthur,
so
so
intervista
packet
switching
element
is
a
collection
of
Yang
data
model
that
represents
the
routing
table,
the
interface
table
and
the
routing
context
that
could
associate
those
routing
tables
interfaces
or
with
mpls
labels,
or
with
VX
lon
eni
or
whatever
dmax,
to
identify
the
routing
table,
along
with
some
of
the
interface
as
well
configuration
needed
for
what
we
call
a
packet
switching
element
to
perform
the
layer
to
VPN,
VPN
or
layer,
3
VPN
functionality.
So
here
we
are,
we
are
talking
about
separating
the
control
plane.
K
So
on
the
packet
switching
element,
we
are
not
going
to
be
running
the
routing
protocols,
the
BGP
or
GP,
or
the
MPLS
control
protocol
are
the
packet.
Switching
element
will
be
capable
of
resolving
as
a
route,
so
the
prefixes,
if
you
are
going
to
be
setting
up
the
routing
table
ways
via
whatever
next
hubs,
that
we
are
going
to
set
up
as
well
as
a
via
in
zoos,
routing
table
to
go
or
two
to
provide
the
connectivity.
So
so
this
slide
is
simply
presenting.
The
motivation
here
is
that
we
have
a
control
plane.
K
That's
not
coupled
with
a
packet
switching
element,
but
the
packet
switching
element
need
what's
the
control
plane.
This
is
the
v
GP
or
zai
GP
our
route,
routing
information
that
they
are
going
to
be
discovering
over
the
network
to
be
set
up
to
that
packet
switching
element
and,
of
course
you
know,
that's
definitely
in
scopus
what
is
being
defined
as
the
N
or
software-defined
networking,
and
here
we
are
simply
mentioning
some
of
the
advantages
of
that
separation
of
the
control
plane
out.
K
So
yeah
it's
reiteration
of
the
point
here.
So
what
we
are
saying
here,
the
packet
switching
element
I,
need
the
rib
of
the
routing
table
to
perform,
of
course,
as
a
forwarding
function
or
the
data
plane
function
to
provide
the
connectivity.
So
he
needs
what's
necessary
for
him
in
his
position
in
the
network
to
do
a
set
function,
the
ypsi
the
way
we
are
defining
it.
As
we
said
it's,
a
collection
of
young
data
model
for
the
routing
table,
the
interface
table
and
the
contacts
table
or
providing
the
relation
to
identify
those
routing
table.
K
So,
given
that
sang
data
mothers
who
are
saying
it's,
it's
a
particular
protocol
agnostic
here
as
well
as
Hardware
agnostic,
because
we
are
setting
routing
table,
so
we
have
not
height
I,
given
hardware
or
setting
a
specifc
data
plane
or
a
forwarding,
plane
or
a
given
how
to
load
a
see
we
are
setting
our
demarcation
point
here
is
that
the
routing
table
level?
This
is
what
we
are
setting
the
routing
information
and
we
are
using
Ganga's
as
mentioned
so
as
mentioned.
This
is
a
collection
of
data
model.
K
We
have
identified
the
different
modules
that
are
needed,
or
this
is
the
initial
set
of
the
modules
that
are
needed
to
perform
again
for
a
given
packet,
switching
element
as
a
layer
to
VPN,
VPN
or
layer,
see
Vivian
function.
So
those
are
the
initial
what
we
define
initially
as
the
tables
needed.
So
we
are
talking
about
interface,
table
context,
selector
table
I,
pnek,
stable
layer
to
table
label
table
are
and
and
so
on,
including
way
M
as
well.
K
K
The
motivation
again
is
separating
the
control
plane
out.
It
can
run
out
na
couple
ways
the
packet
switching,
what
we
call
effects
switching
element.
We
are
setting
again
on
the
packet
switching
element,
zeliha,
truly
a
surrouding
table
and
associated
contacts,
azusa
routing
table
and
the
interface
table
function
on
definitely
the
packet
switching
element
which
there
will
be
a
need
of
an
agent
that
can
receive
that
the
data
defines
and
data
model
and
set
up,
of
course,
the
packet
switching
element
to
perform
the
associated
function.
K
Modeling
language
here
for
the
data
needed
by
the
packet
switching
element,
and
you
know
we
we
as
well
given
that
that
control
plane,
we
are
perceiving
that
it
can
control
more
than
one
packet.
Switching
element
are
not
only
one
but
set
up
again.
The
packet
switching
element
with
the
information
needed
based
on
its
position
on
the
network
or
on
a
given
fabric,
then
possibly
is
a
need
of
faster,
including
interface
or
a
faster
interface
to
set
of
those
packet.
Switching
element
may
become
needed.
K
So
this
why
we
are
thinking
as
well
about
a
binary
protocol
encoder
that
can
be
used
here
to
speed
up
the
setup
of
the
routing
table
to
the
packet
switching
on
and
that's
about
it.
Any
comments.
H
K
Yeah,
that's
a
good
point.
What
we
are
saying
here,
our
demarcation
point
for
what
we
are
setting
for
the
packet
switching
element
is
much
higher
than
an
open
flow.
So
so
we
are
not
talking
about
the
controller
of
the
control
plane,
really
resolving
the
full
forwarding,
as
as
an
open
flow,
would
require
right.
So
so
we
are
setting
the
only
the
routing
table
right
with
the
prefix
via
the
next
hop
left
side
and
then
leaving
the
packet.
K
K
We
are
open
in
that
regard
right
so
so
we
are,
you
know,
accepting
comments
as
well:
onza,
okay,.
H
So
the
final
bit
of
falcongate
follow
up
on
that
is
obviously
a
femoral
state
is
one
of
our
sticking
items
in
the
Charter.
If
that's
a
thing,
that
is
something
you're
playing
building
your
infrastructure
on
that
does
cause
you
some
level
the
dependency
one
other
thing
I
would
ask
you
to
consider
is
whether
or
not
a
RPC
style
mechanism,
even
if
you're
using
yang
is
your
modeling
language
is
perhaps
more
appropriate
for
you're.
Looking
for
mm-hmm.
E
C
K
C
Nice,
so,
in
the
same
question
with
Joe
and
some
of
the
trace
abilities
were
interested
to
see
as
his
work
continues.
Is
it
work
inside
the
ephemeral
straight
and
some
of
the
things
that
have
been
implemented?
Some
of
the
things
that
we've
been
chartered
to
do
in
that
regard,
so
we
we
can
catch
up
on
line,
but
I
think
lots
of
the
authors
here
might
like
to
ask
you
questions.
Okay,.
L
A
C
Okay,
I'm
going
to
try
remote
clicker.
This
is
one
of
the
requirements
drafts
that
came
in
a
little
later.
The
chair
sometimes
gets
to
pick
up
requirements
drafts
when
I
don't
find
a
volunteer.
So
this
is
about
the
protocol
requirements
that
were
initially
in
Jeff's
requirements
draft,
but
we
split
some
of
the
stuff
out
into
a
femoral
state
and
network
requirements.
C
He
had
a
editorial
review,
although
eight
I
may
have
misclassified
york
and
that
may
be
real
I
classified
it
in
both
ways,
because
I
wasn't
sure
if
it
was
confusing
or
if
it
was
just
not
a
security
requirement.
So
I
put
it
in
this
slide
in
both
to
be
fair,
I
will
go
through
the
requirements,
but
I
thought
you
could
pause
and
if
you
could
just
look
at
this
for
a
moment,
this
is
your
guns
viewpoint
and
yurgin
in
the
past
had
been
our
secure
our
net
comp
advisor
here.
C
So
you
may
want
to
take
a
moment
to
look
at
that
notice.
His
concerns
is
where
the
requirement
eight
is
the
security
requirement,
and
why
is
d
dots
on
a
protocol,
a
concern
or
requirement
to
net
come
and
why
multiple
messages
was
a
requirement
by
the
way,
I
actually
sort
of
pulled
this
from
the
requirement
state
and
pulled
it
into
the
talking
state
Andy.
This
is
our
you
know:
do
all
the
errors.
C
Do
part
of
the
errors,
stop
on
error
section
and
that's
that's
the
multiple
message
and
then
the
last
question
that
this
working
group
really
has
to
consider
is
early
on.
In
the
working
group.
We
had
the
discussion
that
why
support
an
insecure
that
we
wanted
to
be
able
to
have
a
transport
protocol
that
wasn't
encrypted
or
security
based
and
yurgin
is
asking
is
one
more
time?
Is
this
really
what
you
want?
M
C
C
Okay,
I'm
going
to
read
through
this
and
try
to
give
you
a
talk,
I'm
going
to
sort
of
pause,
hope
that
you
can
pull
down
the
slides,
but
I'm
not
gonna,
read
all
the
pieces,
I'm
going
to
highlight
certain
certain
require
security
requirements.
So
the
first
thing
we
put
in
the
security
requirements
is
perhaps
basic
101
on
I
r2s
clients
and
I
er
to
its
agents
with
mutual
authentication.
I
first
thought:
if
I
said
that
you
understood
all
these
points
below
but
I,
then
like
a
good
requirements,
a
person
wrote
them
all
out.
C
So
you
know
you
must
have
at
least
one
unique
identifier.
You
must
use
these
identifiers
to
do
mutual
authentication.
You
must.
The
client
must
confirm
the
agent.
The
agent
must
confirm
the
client
and
we
agreed
that
we
should
load
this
on.
A
protocol
outside
of
our
2s
triple-a
is
a
and
diameter
or
radius
is
a
perfectly
good
way
to
transmit
stuff.
That
may
not
be
the
way
you
send
out
your
identities.
You
may
do
something
perfectly
valid
outside
of
that.
C
As
long
as
it's
secure
that
your
thing,
that's
not
what
I
er
to
us
is
about.
In
addition,
there
are
three
things
which
travel
into
the
area
of
identity
and
secondary
identity,
good
I'm,
still
standing
in
the
pink
box,
so
I
r2s
should
assume
that
the
distributing
or
the
loading
of
these
in
don't
have
to
before
establishing
the
connection,
and
that
includes
both
the
primary
identity
and
second
identity
and
the
identity
must
be
linked
to
one
primary.
C
The
link
with
a
secondary
identity
only
occur
is
required
to
be
the
same
during
a
particular
reader
right
sequence,
but
it
may
change
and
again
this
is
the
opaque
value
that
allows
different
functions
within
the
single
clock,
client
identity,
to
change
a
lot
of
debate
on
secondary
identity
with
the
net
comp
meeting
on
Thursday.
This
may
come
up.
So,
if
you're
interested
in
this
topic,
I
encourage
you
to
be
to
the
met
competing.
C
Q1
p.m.
on
thursday
iOS
is
immediately
after
it.
Please
come
the
transport
requirements.
We
should
be
able.
We
should
use
a
secure
transport,
jerkin
said.
So.
Why
would
someone
do
something
else
and
I
understand
that
comment?
That's
actually
good
comment,
but
we
did
go
through
and
say.
This
is
what
secure
transport
means
to
us.
We
will
have
be
able
to
support.
The
transfer
of
data
over
sir
care
transport
here
is
where
we
have
a
non-secure
alia
did
I.
Do
something
wrong.
G
E
N
Heard
occur,
I.
Don't
think
that
I
mean
you're
really
talking
about
two
different
transports
here:
right
you're,
talking
about
how
to
configure
the
pub
sub
over
something
else
where
that
configuration
mechanism
certainly
needs
to
be
authenticated
and
netcom
provides
that
that's
really
so.
This
requirement
really
needs
to
have
two
pieces.
One
is
how
to
do
the
configuration
and
how
to
look
at
the
configuration
that's
going
to
require
the
security
properties.
If
I
be
fix,
doesn't
go
over.
You
know
anything
secured
today.
N
Well,
maybe
it's
going
out
over
you
know,
HTTP
doesn't
go
out,
isn't
secure
today,
but
people
still
use
it.
There's
that's
just
fine
in
some
cases,
but
from
a
net
com
point
of
view.
The
chance
is
doping
up
a
net
com
protocol
which
you
know
exposes
a
whole
ton
of
configuration
over
something
that
isn't
you
know,
authenticated
and
hopefully
encrypted
probably
won't
get
won't
fly
but
I
think
that's
okay!
For
what
you're
trying
to
do.
E
E
D
C
C
Now
there
are
mentally
management
said
we
did
mean
the
appreciate
keys
were
acceptable,
and
if
anybody
who
is
a
key
management
person
will
look
at
the
requirement
text
and
help
me
fix
it,
I
would
appreciate
it.
Jurgen
says
I'm,
not
quite
tight
enough.
So
please
make
comment.
Send
me
any
texts
Corrections
there.
C
Ok,
the
next
thing
is
I
r
2
s
must
be
able
to
support
multiple,
secure
transport
sections
providing
the
protocol
and
data
communication.
So
I
think
we
just
gone
to
that.
But
we've
always
said
you
must
be
able
to
have
more
than
just
one.
You
must
be
able
to
have
four
or
five
parallel
once
and
that's
really
an
important
piece
and
I
urge
us.
This
is
where
that
the
dust
mitigation
one
was
when
we
had
a
security
person
who
spends
his
life
working
on
security.
Daniel.
Are
you
here
from
erickson?
C
C
Okay,
do
you
want
to
comment
on
this
dee
da
stuff
for
Daniel,
okay,
so
Daniel
when
he
read
through
all
of
our
security
and
he
walked
through
it?
He
actually
spends
his
life
working
on
Erickson
devices
and
security
and
he's
in
the
Security
section,
and
this
is
the
one
he
said
you
need
to
make
sure
that
it
has
DDoS
protection.
C
Any
normal
security
piece
does
so
I
added
it
and
I'm
going
to
go
talk
to
the
security
Directorate
and
Stella
and
get
Daniel
in
them
talking
to
find
out
why
he
felt
it
was
the
one
critical
piece
to
add.
So
if
we
find
something
good
jörgen
from
the
security
people,
I
will
put
more
detail
on
this.
If
we
can't
find
substantial
wheel
will
try
to
pick
up
by
that's
where
I
got
that
one
in
a
critical
infrastructure.
This
is
just
that
it
has
to
be
confidential
and
I.
C
This
is
an
integrity
that
it
shouldn't
be
modified
without
detection
that
it's
actually
coming
where
it's
supposed
to
come
from,
and
it's
not
repeated,
man-in-the-middle
attacks
are
what
some
people
linked
this
to
number
15
the
integrity,
not
repeated
means
that
the
transport
sugar
put
protect
against
replay
attack.
We
all
know
that's
important
and
last
of
all,
the
traceability
that
we've
already
got
in
another
requirement
is
important
and
it
should
be
supported.
This
is
again
in
a
channel
that
is
non-secure
to
trace
about
security.
E
C
Non-Secure
section
of
well
again,
if
you're
a
security
person
in
Eire
to
s,
we
would
really
like
your
review.
But
that
is
something
that
if
I
read
your
comments
earlier
can
we
should
probably
include
this
in
the
non-secure
section
and
I
believe
this
is
17
Andy.
You
will
now
recognize
perform
until
all
is
done,
perform
until
Air
prefer
for
mentor.
I
took
that
out
as
a
requirement.
You
know
I,
don't
we
had
discussions
on
it
and
I
don't
want
to
put
it
as
a
requirement
to
we
have
a
bit
more
of
discussions.
C
I
I
need
to
turn
this
and
make
sure
that,
because
it
was
in
the
architecture,
we
understand
it,
but
based
on
our
comment,
I
thought
that
really
needs
to
go
away
from
the
specific
requirements
on
that
confident
and
are
to
us
talk
a
bit
more
same
thing.
Another
man
in
the
middle
attack,
roll
security
must
be
used
and
it
may
archers.
Clients
may
be
used
by
multiple
applications
and
you
need
to
be
able
to
turn
on
the
audit
stream
or
turn
on
the
traceability
and
I.
C
Think
we
considered
in
the
audit
stream
that
the
traceability
was
the
level
four
most
audits.
If
you
think
the
audit
stream
should
be
deeper,
please
let
us
know
so
we
can
work
through
some
of
the
requirements.
That
is
the
end
of
my
piece
up.
Thank
you
for
the
great
discussion.
Thank
you
again,
jörgen
for
your
review,
I
hope
to
improve
the
document.
We
will
finish
this
week
out
and
then
try
to
go
for
a
working
group.
Adoption
call
every
time
I
adopt
a
security
document.
C
O
Well,
sue
is
setting
up
the
slide,
I'm
Joel
Halpern
with
Erickson.
I
worked
with
daniel
and
sue
on
this.
It
started
with
daniel
coming
to
me
and
saying
he
was
doing
a
security
review
because
he's
really
an
expert
on
this
stuff
and
I
then
started
working
with
him
on
what
assumptions
we,
as
a
community,
have
been
making
about
system,
but
sometimes
it's
hard
to
get
from
the
words
we
write
to
what
we
mean.
O
So
then
he
tried
to
capture
the
security
when
we
reviewed
it
was
so,
and
she
pointed
out
really
there
were
two
categories
of
things:
he
was
talking
about
stuff
that
was
intrinsic,
which
were
mostly
in
her
existing
document
and
stuff,
which
were
about
the
surrounding
environment.
Now
how
we
will
position
this
document,
whether
it
becomes
informational
or
whatever,
is
not
obvious.
It's
probably
informational
its
documentation
that
writes
down
what
we
have
assumed
the
environment
is
going
to
do
so
that
the
security
things
we
say
work
will
actually
work.
That's
what
we're
driving
at
here.
O
O
Similarly,
there
are
security
assumptions
and
we're
even
worse
about
writing
those
down
than
other
kinds,
so
it
corrupt.
The
current
doc
doesn't
describe
them
well,
so
we're
trying
to
capture
them.
That's
the
focus
here
and
I'm
not
going
to
go
through
everything
in
the
document.
The
document
is
careful
that
says
here
we're
going
to
describe
what
the
question
is
and
then
what
we
think
the
requirement
is
on
the
app
on
the
environment.
That
past
is
required
to
meet
that
because
we
had
an
interest.
O
One
of
the
observations
was
some
folks
like
to
state
requirements
and
then
explain
them,
and
some
folks
like
to
state
context
and
then
provide
requirements,
and
the
only
thing
that's
really
bad
is
to
do
bulletin
in
different
places.
So
document
picks
one
approach,
installs
you
which
way.
It's
doing
so.
We
group
the
requirements
into
three
kinds
of
requirements:
plane,
isolation,
requirements,
triple
a
policy
requirements
and
application,
isolation,
requirements
and
they're,
pretty
straightforward
and
again
I
say
the
details
bring
the
doc.
O
This
section
treats
the
itrs
exchanges
as
a
separate
plane
from
the
data
plane,
control,
plane,
the
management
plane,
I,
don't
I,
don't
care
whether
you
want
to
treat
it
for
all
purposes.
Us
separate
plane,
whether
you
want
to
treat
it
as
part
of
the
control
and
management
plane,
because
you
think
they're
really
one
plane
a
lot
of
the
st
n
stuff.
Lunges
control
planes
and
management
planes
and
drawing
hard
lines
is
tricky.
O
O
So
the
point
is
that
this
exchange,
because
of
its
nature,
we
are
assuming-
has
isolation
and
security
characteristics
that
the
connectivity
mechanism,
whether
that
is
a
separate
authenticated
tunnel,
ipsec
or
whether
it
is
physical
segregation,
because
many
operators,
what
this
kind
of
thing
to
be
on
a
physically
separate
network
or
different
vlans.
But
attention
needs
to
be
paid
to
that
segregation.
O
So
what
we
tried
to
do
is
point
out,
there's
a
general
isolation
issue
and
a
range
of
techniques,
and
then
there
may
be
cases
where
the
I
Torres
plane
needs
to
interact
with
the
other
planes.
After
all,
a
frame
that
doesn't
affect
anything
else
is
not
really
very
important
to
your
work.
So
we
try
to
cover
this
material.
O
I'm,
probably
talking
too
fast,
but
Triple
A,
we
depend
very
heavily
for
the
reliability
of
what
we're
doing
the
security
of
what
we're
doing
in
I
to
RS
on
Triple
A
and,
of
course,
we
can't
mandate.
You
shall
use
radius
and
you
shall
do
this
request
in
that
request,
a
lot
of
different
ways
to
deploy
triple-a,
a
lot
of
different
ways
to
store
the
information
in
different
systems,
depending
on
how
you
run
your
network.
O
But
we
do
make
assumptions
about
the
capabilities,
so
we
have
a
whole
section
that
walks
through
the
kind
of
assumptions
we
make.
The
information
we
are
assuming
the
triple-a
provides.
It
doesn't
care
whether
its
diameter
radius,
tacacs+
I,
don't
care
which
protocol
it
is,
but
you've
got
something.
That's
giving
you
this
information
and
you're
making
assumptions
about
the
reliability
of
that
there
probably
is
actually
more.
That
needs
to
be
said
about
the
security
model
of
that
that
we
are
taking
for
granted.
I
haven't
rira,
viewed
it
since
I
thought
of
that
question.
O
But
the
point
is
to
clarify
what
we're
assuming
about
Triple
A
and
make
sure
it
spelled
out
so
that
folks,
trying
to
use
the
I
to
RS
work
know
what
it
takes
to
actually
meet
the
security
reclaiming
to
get,
and
we
have
all
sorts
of
discussions
and
document
about
direct
collision
and
application
interaction.
But
we
don't
really
spell
it
out
from
the
point
of
view
of
the
applications
from
the
environmental
point
of
view
and
among
other
things,
this
gets
back
to
dasa.
O
Folks,
you
tell
you,
don't
want
one
applications
activities
denying
service
to
another
application
with
the
underlying
Network.
We've
tried
to
find
things
like
the
collision
mechanism
to
at
least
reduce
the
likelihood
of
this.
But
there
are
things
you
have
to
do,
deploying
your
applications
paying
attention
to
this,
don't
write
and
deploy
applications
that
every
time
they
get
an
error
that
says
your
state
went
away,
will
promptly
turn
around
and
try
to
reapply
it.
O
Because
one
of
two
things
will
happen:
either
it
will
win
and
then
the
other
guy
will
do
the
same
thing
and
you're
going
to
bounce,
which
is
really
bad
or
they'll
fail,
but
keep
trying,
which
is
essentially
a
lot
of
ways.
So
these
are
things
you
need
to
think
about
from
the
application
perspective,
based
on
what
we're
doing
in
I
to
RS
again
we're
not
trying
to
change
the
I
to
RS
behaviors
here,
but
quite
out
the
behavioral
assumptions
that
underlie
what
we've
done
here.
O
That's
all
I
have
to
say,
because
I'm
not
going
to
run
through
what
section
by
section,
but
if
there
are
questions
about
the
approach
I
can
tag
them.
Questions
on
details
probably
should
go
to
the
list
because
daniel
freely
much
better
it.
Why
exactly
did
you
use
these
words
to
describe
it?
I
need
Daniels
help
and
he's
over
in
the
dls
session
dot.
That's
going
on
in
parallel
with
this
any
questions.
C
Seeing
none
my
thanks
to
the
chairs.
Thank
thank
you
very
much.
We
will
please
send
your
questions
to
Daniel
on
the
list.
This
is
the
end
of
our
presentations.
We
thank
you
for
your
time
recall
that
we
will
meet
again
one
o'clock
for
the
net
com
session
on
Thursday
I
strongly
I.
Ask
all
document
authors
in
our
tourists
to
attend
the
net
com
session
in
case
people
have
questions.
I
also
will
ask.
We
will
have
a
discussion
there
and
then
we
will
continue
on
with
discussions
at
the
arch
us
meeting
on
Thursday.