Minutes from the Basic User Registration  Protocol (BURP) BoF meetings held in Minneapolis, MN.

Thanks to Behcet Sarikaya for capturing the notes.

Tuesday, March 20 at 1700-1800
==============================

1. Problem Statement: Basavaraj Patil

Basavaraj  discussed the problem  scope.  Network and  operators  require a user to  register  in order to provide  access to the  network or access to value added service.  He emphasized  that current  registration  mechanisms are built into the lower layers and thereby make them access specific.  Two I-Ds  (draft-das-burp-requirements-00.txt)  and (draft-soliman-burp-require ments  -00.txt)  discuss the  requirements.  The I-Ds will be merged into a single document after the IETF.

Draft authors felt the need for an upper layer  protocol  which will enable the usage of a common  registration  mechanism  for multiple  access types.  Presently,  AAA protocols  (such as RADIUS or Diameter)  reside  within the network and use information  about the user obtained via mechanisms such as PPP to  authenticate  and authorize as well as charge  (accounting).  Basic User  Registration  Protocol  (BURP)  should be the  mechanism  that exists between  the user and the  network to carry  user  information  used by AAA entities.  Although configuration is an important aspect to network access, it is out of scope for the BURP BoF.

2. Pros and Cons of Upper Layer Network Access: Bernard Aboba
(www.drizzle.com/~aboba/IEEE/)

Before describing the pros and cons of upper layer authentication,  Bernard discussed  few issues  such as, how do we measure if a protocol  has been a success,  what do we do  today , who  standardizes  what  and  what we have learned   from  the  past?  He  also   described   static   vs.  extensible authentication  and why we do  authentication  at link layer.  He presented pros and cons of  network  access  authentication  that  has  already  been implemented   at  every   layer.  For   example,   today   network   access authentication  is done at link layer.   Network  Access  Server  (NAS)  and client use PPP links.  Then NAS and AAA server use IP based AAA   protocol.  IP layer is used in hotel to  access  Web  Server  based on ICMP  re-direct method.  At  UDP/TCP  layer  propriety   token  card  protocols  are  used.  Finally, he raised five  important  questions and concluded  with a summary saying that layer-3 authentication makes sense for a wireless WAN.

A discussion ensued regarding the increasing speeds of routers and switches to gigabit and beyond and some of the issues  associated  with doing access control and  filtering at higher  layers for networks  that operate at such high speeds.

3. Requirements for High-speed Internet Access in Public Places
   Anand Balachandran

Anand  discussed the current trend in  ubiquitous  internet  access and the related  security  issues.  Current schemes are:  MAC level  filtering, WEP key  security,  IEEE 802.1x port based access  control  etc.  although  the latter  requires  changes to existing  APs.  He described  their  vision on network access protocol.  It should be based on IPv6/v4,  support  multiple authentication  schemes.  AAA  E-cash  system of VISA,  Masters  cards etc. Service  models:  Model 1:  free access to local  resources in the Intranet and no  authentication  is  required.  Model 2:  Authenticate  and pay.  It allows access to the Internet, and thereby differentiated  charging.  Scope is:  user-network  interaction;  Protocol  is  decoupled  from  routing and location  updates for mobile hosts.  Fallout is:  a user  registration  and authentication  protocol  has been  implemented  and working in malls for 7 months.  He has not described the  encryption  protocol  since it is beyond scope.

Discussion cut short because of time limitations.

4. Applicability of a user registration protocol: Yoshihiro Ohba

Ohba  described L2 access  control as "all or nothing"  which is simple but more flexible  access control would be useful in public areas.  Multihoming is another issue:  a host may associate with many access routers  (ARs).  A host may have multiple  interfaces that belong to the same or different AAA domains.  If all ARs belong to same AAA domain,  performing  AAA per AR may not be good  idea.  The  same is true  for  multiple  interfaces.  He  also discussed  AAA  application  protocols  issues  such as MIP and SIP.  It is always good to have protocols to be AAA ready without any  modification  to AAA base  specification.  According  to him BURP  should be a light  weight client-server protocol for user registration to the visiting AAA domain.

5. Why BURP is required in wireless nets: Pat Calhoun

Pat  explained  the need for BURP.  Currently  PPP is used because it is an IETF protocol.  However, in cellular  world LCP of PPP is no longer used to negotiate link parameters.  Authentication  phase is also not used, instead Mobile IP  authentication  is used.  IPCP is used only to  negotiate a NULL address.  He has given several  reasons why PPP is bad.  According to him a light  weight   registration   protocol  is  needed  which  should  include authentication,  re-authentication,  disconnect  message,  contains minimal state and  compression  negotiation.  Moreover,  since Mobile IPv6 does not have access  control at the edge, BURP would  allow the first hop router to perform this function.

6. Discussion of related I-Ds
draft-ietf-dhc-aaa-ra-00.txt -- George Tsirtsis

George  mentioned  that  he  presented  this  draft  in dhc WG as  his  own contribution.  The main idea is to extend DHCP as an Internet  access model in which AAA procedures are invoked from a DHCP relay agent.  He thinks the protocol should support full AAA functionality not only  registration.  For example,   policing  and   accounting   are  provided  by  AAA  apart  from registration.  However, he indicated  that it is not  necessary  to have it always with DHCP but the registration agent should be in the AR since it is simpler to do access control at AR.  He also  discussed why not DHCP?  Some BoF  members  think it is not a good  idea to tie the  registration  with a configuration protocol such as DHCP.

7. draft-perkins-aaav6-03.txt -- Charlie Perkins

This is also an  individual  contribution  with his  colleagues  at  Nokia.  Charlie  started with  general  philosophy,  have access  control at AR and should  coexist  with  ipv6  stateless  autoconf.  He  suggested  to have a generic method.  Enable integration with other access methods such as mipv4 extension  for AAA and try to make  it for  mipv6.  The  generic  framework should support  different  mechanisms such as stateless  autoconf,  DHCPv6, mipv6 etc.

Presenation cut short because of time limitations.

Discussion of problem statement and charter
-------------------------------------------

A. Basavaraj asked for comments on problem statement.

Suggestions:  DHCPv6 may add new  requirements.  We should  concentrate  on authentication schemes, kerberos, etc.  It should be decoupled from address acquisition  mechanisms.  Authentication  in the core is  complicated,  the route can change etc.

Chairs  mentioned that they will consider these  suggestions  and also look into Bernard's comments.

B. Consensus

Question 1:  Do people  agree that there is a problem as stated by this BOF exists and that it needs to be addressed?

           Response +ve : Overwhelming Yes
                    -ve : A very few No's

Question  2:  Does a WG need to be created out of this BOF to address  this problem?

            Response +ve : Overwhelming Yes (again)
                     -ve : A very few No's

Next  Steps:  An  updated  problem  statement/charter  will be sent  to the Internet ADs for approval and request to create a WG.