headers
Donald Eastlake | 9 Sep 2011 00:24
Picon

Future of the PPP WG

Hi,

In case you were unaware, I am now the Chair of PPPEXT.

Generally, there has been little activity in this WG for some years.
Although I believe it serves a useful purpose in examining PPP
proposals, possibly that purpose could be served by just continuing
the mailing list. In any case, it seems likely that, if the situation
continues unchanged, the WG will be dissolved sometime early next
year.

In the process of producing RFC 6361, it became very apparent that the
PPP security RFCs, such as they are, meet few, if any, modern IETF
security guidelines. I believe that there should be an update of PPP
security or, if an effort to update them fails for some reason, then
at least old / inadequate / unimplemented PPP security RFCs should be
declared historic.

My suggestion is that PPPEXT re-Charter to include a goal such as the
above and I'm willing to try drafting a new Charter but welcome
suggestions and comments on all this.

One question is, should PPPEXT have a 1 hour meeting at the November
IETF meeting? I think that would be the best way to come to consensus
on this but obviously only if enough people would plan to actually
attend. So, I'd be interested in who is would attend and any opinions
for or against such a meeting.

Thanks,
Donald
(Continue reading)

Permalink | Reply | 0 comments |
headers
Glen Zorn | 9 Sep 2011 13:33
Picon

Re: Future of the PPP WG

On 9/9/2011 5:24 AM, Donald Eastlake wrote:

> Hi,
> 
> In case you were unaware, I am now the Chair of PPPEXT.

Thanks for mentioning it!

> 
> Generally, there has been little activity in this WG for some years.
> Although I believe it serves a useful purpose in examining PPP
> proposals, possibly that purpose could be served by just continuing
> the mailing list. In any case, it seems likely that, if the situation
> continues unchanged, the WG will be dissolved sometime early next
> year.
> 
> In the process of producing RFC 6361, it became very apparent that the
> PPP security RFCs, such as they are, meet few, if any, modern IETF
> security guidelines. 

Would these be realistic guidelines (such as RFC 3552 (but do you
consider that 'modern')) or pie-in-the-sky "in my dream world this is
how it would work" guidelines (like RFC 4962)?

> I believe that there should be an update of PPP
> security or, if an effort to update them fails for some reason, then
> at least old / inadequate / unimplemented PPP security RFCs should be
> declared historic.

Do you have a list of said RFCs?
(Continue reading)

Permalink | Reply | 7 comments |
headers
Mark Townsley | 9 Sep 2011 14:00

Re: Future of the PPP WG


On Sep 9, 2011, at 1:33 PM, Glen Zorn wrote:

One question is, should PPPEXT have a 1 hour meeting at the November
IETF meeting? I think that would be the best way to come to consensus
on this but obviously only if enough people would plan to actually
attend. So, I'd be interested in who is would attend and any opinions
for or against such a meeting.

PPPEXT hasn't met in, what, 10 years or more? The charter hasn't changed significantly since Thomas Narten was AD. I seriously doubt a physical meeting is worth having in what are already jam-packed IETF meetings.  If you have any PPP experts there, it will be because folks like Glen, James, and others happen to have moved on to other areas that require IETF presence. 

If you are dead set on a recharter (personally, I like the pppext charter, and pointed to it as a good example of a "dormant but useful" WG several times as AD) then round up the PPP guys that are still around and chat with them in the hallway and take it to the list. It could even be a fun bar outing, looking back on the good old 90s... perhaps we could get Craig and Karl Fox to dig up some memorabilia. 

But, please don't make Marcia deal with what to her will look like a brand new WG to deal with scheduling.

- Mark


I would attend if I had no irreconcilable conflicts.
_______________________________________________
Pppext mailing list
Pppext <at> ietf.org
https://www.ietf.org/mailman/listinfo/pppext

_______________________________________________
Pppext mailing list
Pppext <at> ietf.org
https://www.ietf.org/mailman/listinfo/pppext
Permalink | Reply | 4 comments |
headers
Donald Eastlake | 9 Sep 2011 20:18
Picon

Re: Future of the PPP WG

Hi Glen,

On Fri, Sep 9, 2011 at 7:33 AM, Glen Zorn <glenzorn <at> gmail.com> wrote:
> On 9/9/2011 5:24 AM, Donald Eastlake wrote:
>
>> Hi,
>>
>> In case you were unaware, I am now the Chair of PPPEXT.
>
> Thanks for mentioning it!
>
>>
>> Generally, there has been little activity in this WG for some years.
>> Although I believe it serves a useful purpose in examining PPP
>> proposals, possibly that purpose could be served by just continuing
>> the mailing list. In any case, it seems likely that, if the situation
>> continues unchanged, the WG will be dissolved sometime early next
>> year.
>>
>> In the process of producing RFC 6361, it became very apparent that the
>> PPP security RFCs, such as they are, meet few, if any, modern IETF
>> security guidelines.
>
> Would these be realistic guidelines (such as RFC 3552 (but do you
> consider that 'modern')) or pie-in-the-sky "in my dream world this is
> how it would work" guidelines (like RFC 4962)?

I should think the PPPEXT WG would decided which guidelines, subject
to the constrains of getting documents through the IETF process :-)

>> I believe that there should be an update of PPP
>> security or, if an effort to update them fails for some reason, then
>> at least old / inadequate / unimplemented PPP security RFCs should be
>> declared historic.
>
> Do you have a list of said RFCs?

I don't think it is complete but how about the following to start with:

"The PPP Encryption Control Protocol (ECP)",
               RFC 1968, June 1996.
"PPP Challenge Handshake Authentication
               Protocol (CHAP)", RFC 1994, August 1996.
"The PPP Triple-DES Encryption Protocol (3DESE)", RFC 2420, September 1998.

>> My suggestion is that PPPEXT re-Charter to include a goal such as the
>> above and I'm willing to try drafting a new Charter but welcome
>> suggestions and comments on all this.
>>
>> One question is, should PPPEXT have a 1 hour meeting at the November
>> IETF meeting? I think that would be the best way to come to consensus
>> on this but obviously only if enough people would plan to actually
>> attend. So, I'd be interested in who is would attend and any opinions
>> for or against such a meeting.
>
> I would attend if I had no irreconcilable conflicts.

Unless there is significant support, I won't try to have a physical meeting.

Thanks,
Donald
=============================
 Donald E. Eastlake 3rd   +1-508-333-2270 (cell)
 155 Beaver Street, Milford, MA 01757 USA
 d3e3e3 <at> gmail.com
_______________________________________________
Pppext mailing list
Pppext <at> ietf.org
https://www.ietf.org/mailman/listinfo/pppext
Permalink | Reply | 1 comment |
headers
Donald Eastlake | 9 Sep 2011 20:26
Picon

Re: Future of the PPP WG

Hi Mark,

On Fri, Sep 9, 2011 at 8:00 AM, Mark Townsley <mark <at> townsley.net> wrote:
>
> On Sep 9, 2011, at 1:33 PM, Glen Zorn wrote:

Actually I wrote the following:

>> One question is, should PPPEXT have a 1 hour meeting at the November
>> IETF meeting? I think that would be the best way to come to consensus
>> on this but obviously only if enough people would plan to actually
>> attend. So, I'd be interested in who would attend and any opinions
>> for or against such a meeting.
>
> PPPEXT hasn't met in, what, 10 years or more? The charter hasn't changed
> significantly since Thomas Narten was AD. I seriously doubt a physical
> meeting is worth having in what are already jam-packed IETF meetings.  If
> you have any PPP experts there, it will be because folks like Glen, James,
> and others happen to have moved on to other areas that require IETF
> presence.

I don't have any particular problem operating PPPEXT without meetings,
if that is what people want, either under the current charter or an
expanded charter to do some security stuff.

> If you are dead set on a recharter (personally, I like the pppext charter,
> and pointed to it as a good example of a "dormant but useful" WG several
> times as AD) then round up the PPP guys that are still around and chat with
> them in the hallway and take it to the list. It could even be a fun bar
> outing, looking back on the good old 90s... perhaps we could get Craig and
> Karl Fox to dig up some memorabilia.

Well, it caused some difficulties with the TRILL over PPP draft that
the current charter prohibits the WG producing any documents, which
seems to also rule out the WG updating any security documents.
Furthermore, I believe that our AD is inclined to shut down the WG if
the current situation doesn't change.

> But, please don't make Marcia deal with what to her will look like a brand
> new WG to deal with scheduling.

Everything has benefits and costs. That it takes some effort to
schedule a meeting for a group that has not met in a long time does
not seem like the exclusively controlling factor to me.

Thanks,
Donald
=============================
 Donald E. Eastlake 3rd   +1-508-333-2270 (cell)
 155 Beaver Street, Milford, MA 01757 USA
 d3e3e3 <at> gmail.com

> - Mark
>
> I would attend if I had no irreconcilable conflicts.
> _______________________________________________
> Pppext mailing list
> Pppext <at> ietf.org
> https://www.ietf.org/mailman/listinfo/pppext
>
>
_______________________________________________
Pppext mailing list
Pppext <at> ietf.org
https://www.ietf.org/mailman/listinfo/pppext
Permalink | Reply | 3 comments |
headers
Mark Townsley | 10 Sep 2011 01:51

Re: Future of the PPP WG


OK, I stand corrected. I was thinking of the charter that had existed before and during my tenure as AD:


It seems a few sentences were added in 2009, in particular the unfortunate text that says: 

"The group is not expected to create new specifications, and if a need for such work comes up, a recharter is required."

This looks like Jari's handiwork, he just loves to recharter WGs ;-)

With this new sentence, yes, it looks like pppext is unnecessarily hamstrung from advancing enhancements that the group does *not* think are of questionable value. 

- Mark





On Sep 9, 2011, at 8:26 PM, Donald Eastlake wrote:

Hi Mark,

On Fri, Sep 9, 2011 at 8:00 AM, Mark Townsley <mark <at> townsley.net> wrote:

On Sep 9, 2011, at 1:33 PM, Glen Zorn wrote:

Actually I wrote the following:

One question is, should PPPEXT have a 1 hour meeting at the November
IETF meeting? I think that would be the best way to come to consensus
on this but obviously only if enough people would plan to actually
attend. So, I'd be interested in who would attend and any opinions
for or against such a meeting.

PPPEXT hasn't met in, what, 10 years or more? The charter hasn't changed
significantly since Thomas Narten was AD. I seriously doubt a physical
meeting is worth having in what are already jam-packed IETF meetings.  If
you have any PPP experts there, it will be because folks like Glen, James,
and others happen to have moved on to other areas that require IETF
presence.

I don't have any particular problem operating PPPEXT without meetings,
if that is what people want, either under the current charter or an
expanded charter to do some security stuff.

If you are dead set on a recharter (personally, I like the pppext charter,
and pointed to it as a good example of a "dormant but useful" WG several
times as AD) then round up the PPP guys that are still around and chat with
them in the hallway and take it to the list. It could even be a fun bar
outing, looking back on the good old 90s... perhaps we could get Craig and
Karl Fox to dig up some memorabilia.

Well, it caused some difficulties with the TRILL over PPP draft that
the current charter prohibits the WG producing any documents, which
seems to also rule out the WG updating any security documents.
Furthermore, I believe that our AD is inclined to shut down the WG if
the current situation doesn't change.

But, please don't make Marcia deal with what to her will look like a brand
new WG to deal with scheduling.

Everything has benefits and costs. That it takes some effort to
schedule a meeting for a group that has not met in a long time does
not seem like the exclusively controlling factor to me.

Thanks,
Donald
=============================
 Donald E. Eastlake 3rd   +1-508-333-2270 (cell)
 155 Beaver Street, Milford, MA 01757 USA
 d3e3e3 <at> gmail.com

- Mark

I would attend if I had no irreconcilable conflicts.
_______________________________________________
Pppext mailing list
Pppext <at> ietf.org
https://www.ietf.org/mailman/listinfo/pppext



_______________________________________________
Pppext mailing list
Pppext <at> ietf.org
https://www.ietf.org/mailman/listinfo/pppext
Permalink | Reply | 2 comments |
headers
William Allen Simpson | 10 Sep 2011 03:10
Picon

Re: Future of the PPP WG

On 9/9/11 7:51 PM, Mark Townsley wrote:
>
> OK, I stand corrected. I was thinking of the charter that had existed before and during my tenure as AD:
>
> http://tools.ietf.org/wg/pppext/charters?item=charter-pppext-2006-07-03.txt
>
> It seems a few sentences were added in 2009, in particular the unfortunate text that says:
>
> "The group is not expected to create new specifications, and if a need for such work comes up, a recharter is required."
>
> This looks like Jari's handiwork, he just loves to recharter WGs ;-)
>
> With this new sentence, yes, it looks like pppext is unnecessarily hamstrung from advancing
enhancements that the group does *not* think are of questionable value.
>
Ha!  You nailed it in one!!!

# Date: Mon, 18 May 2009 15:35:24 +0300
# From: Jari Arkko <jari.arkko <at> piuha.net>
# Subject: [Pppext] Charter update
#

And my response was:

$ Date: Tue, 19 May 2009 17:53:22 -0400
$ From: William Allen Simpson <william.allen.simpson <at> gmail.com>
$ Subject: Re: [Pppext] Charter update
$
$ Jari Arkko wrote:
$ > The Point-to-Point Protocol (PPP, RFC 1661) is a mature protocol with a
$ > large number of subprotocols, encapsulations and other extensions. The
$ > PPPEXT working exists to provide a forum for asking clarifications
$ > about the existing specifications and to defend against enhancements
$ > of questionable value. The group is not expected to create new
$ > specifications, and if a need for such work comes up, a recharter is
$ > required. The group may, however, advance existing specifications
$ > to the next level in the standards track, if a need for that comes up.
$ >
$ Seems OK, other than "not expected to create new specifications".
$
$ Recent security research has rather obsoleted the ancient authentication
$ and encryption specifications. Every once in awhile, I've been thinking
$ about writing some replacement transforms....
$
$ How about changing to: "... new specifications, other than replacing or
$ updating authentication, confidentiality, and improved key management
$ specifications. If a need for other additional work arises, ...."
$
$ Another thing that group probably ought to discuss is formally retiring
$ some of the ancient Proposed work as Historic.
$
$ Admittedly, we gave up on advancing things like IPCP, as IPv4 was supposedly
$ ready to be replaced (for the past 15 years). Ha!
$
_______________________________________________
Pppext mailing list
Pppext <at> ietf.org
https://www.ietf.org/mailman/listinfo/pppext
Permalink | Reply | 0 comments |
headers
Thomas Narten | 10 Sep 2011 03:26
Picon
Favicon

Re: Future of the PPP WG

Donald Eastlake <d3e3e3 <at> gmail.com> writes:

> In any case, it seems likely that, if the situation continues
> unchanged, the WG will be dissolved sometime early next year.

Care to elaborate on this? Or did I miss something?

> In the process of producing RFC 6361, it became very apparent that the
> PPP security RFCs, such as they are, meet few, if any, modern IETF
> security guidelines. I believe that there should be an update of PPP
> security or, if an effort to update them fails for some reason, then
> at least old / inadequate / unimplemented PPP security RFCs should be
> declared historic.

> My suggestion is that PPPEXT re-Charter to include a goal such as the
> above and I'm willing to try drafting a new Charter but welcome
> suggestions and comments on all this.

Is there any evidence that the participants on this list have *any*
(and I do mean *any*) energy to do any such work? And would anyone
even care? (By that, are there still folk doing PPP implementations
that would read such documents?)

This WG's current charter seems to be very realistic and pragmatic
given the state of both PPP and the WG. We should not be updating the
charter to add items that will in practice never get done, no matter
how much we might like to see such work getting done (in an ideal
world).

> One question is, should PPPEXT have a 1 hour meeting at the November
> IETF meeting? I think that would be the best way to come to consensus
> on this but obviously only if enough people would plan to actually
> attend. So, I'd be interested in who is would attend and any opinions
> for or against such a meeting.

If the purpose of such a meeting is to talk about rechartering, I see
no evidence that such time would be well spent.

Thomas
_______________________________________________
Pppext mailing list
Pppext <at> ietf.org
https://www.ietf.org/mailman/listinfo/pppext
Permalink | Reply | 12 comments |
headers
Vernon Schryver | 10 Sep 2011 05:37
Favicon

Re: Future of the PPP WG

> From: Thomas Narten <narten <at> us.ibm.com>

>            (By that, are there still folk doing PPP implementations
> that would read such documents?)
>
> This WG's current charter seems to be very realistic and pragmatic
> given the state of both PPP and the WG. We should not be updating the
> charter to add items that will in practice never get done, no matter
> how much we might like to see such work getting done (in an ideal
> world).

A more accurate way to say that is that this WG should not be turned
into a vanity press for old folks trying to prove we're not irrelevant.

If there is real and substantial work to be done, then it should be
proposed before changing the charter in sufficient detail to convince
honest and well informed third parties that and how the charter should
be changed.

Observations that the security of PPP protocols might be improved
would be valid but entirely insufficient.  Significant needs and
potential fixes must be proposed before starting yet another
multi-year PPP project that would not finish before IPv4 address
exhaustion finally makes IPv6 real.

 ...

Personally I think PPP insecurity was never a very pressing problem,
because link layer security never mattered as much as security at
higher layers.

Besides, other link layer protocols such as 802.11 that are more
popular (measured by nodes using them) and less secure (as commonly
deployed) make the insecurity of PPP links moot.  What bad guy would
bother attacking a PPP/DSL link when a radio can get bits on and
off the same PPP link easier and with fewer traces?

Link layer encryption, authentication, and authorization don't
matter a lot if you have end-to-end confidentiality, authentication,
authorization, non-repudiation, etc.  On the other hand, if you
haven't secured things end-to-end, then link layer security is 
snake oil.

If you've the least connection to today's operational security
community, you know that the worst that could happen with a link layer
attack is trivial compared what happens now in higher layers.  Even
if this WG could fix PPP security this decade, wouldn't the effort
of the rest of the IETF in reviewing, advancing, and shuffling our
documents be better spent in the higher layers?  Recall BPG security,
what DigiNotar and Comodo prove about PKI (that we all knew many years
ago), old style insecure DNS, DNSSEC vulnerabilities analogous to the
PKI problems, the RIR issues, and so forth and so on and on.

It would be nice to fix nasty messes such as PPPoE, but that ship
has also sailed.

Vernon Schryver    vjs <at> rhyolite.com
_______________________________________________
Pppext mailing list
Pppext <at> ietf.org
https://www.ietf.org/mailman/listinfo/pppext
Permalink | Reply | 1 comment |
headers
Glen Zorn | 10 Sep 2011 07:30
Picon

Re: Future of the PPP WG

On 9/10/2011 1:18 AM, Donald Eastlake wrote:

...

>>> In the process of producing RFC 6361, it became very apparent that the
>>> PPP security RFCs, such as they are, meet few, if any, modern IETF
>>> security guidelines.
>>
>> Would these be realistic guidelines (such as RFC 3552 (but do you
>> consider that 'modern')) or pie-in-the-sky "in my dream world this is
>> how it would work" guidelines (like RFC 4962)?
> 
> I should think the PPPEXT WG would decided which guidelines, subject
> to the constrains of getting documents through the IETF process :-)
> 
>>> I believe that there should be an update of PPP
>>> security or, if an effort to update them fails for some reason, then
>>> at least old / inadequate / unimplemented PPP security RFCs should be
>>> declared historic.
>>
>> Do you have a list of said RFCs?
> 
> I don't think it is complete but how about the following to start with:
> 
> "The PPP Encryption Control Protocol (ECP)",
>                RFC 1968, June 1996.
> "PPP Challenge Handshake Authentication
>                Protocol (CHAP)", RFC 1994, August 1996.
> "The PPP Triple-DES Encryption Protocol (3DESE)", RFC 2420, September 1998.
> 

OK, I guess the crux of my previous question (which I apparently did not
express well) is whether or not the proposed updates are solely or at
least primarily editorial in nature (e.g., bringing the Security
Considerations section into line with the recommendations of RFC 3552).
 Of the documents you mention, I suspect that RFC 1968 & RFC 2420 could
probably be changed any way we want to, since AFAIK there are no actual
deployments of either (I request correction!) but we can't go changing
the way that CHAP works.

...
_______________________________________________
Pppext mailing list
Pppext <at> ietf.org
https://www.ietf.org/mailman/listinfo/pppext
Permalink | Reply | 0 comments |

Gmane