Editor's Note: Minutes received on 7/31 CURRENT_MEETING_REPORT_ Reported by Keith McCloghrie/Hughes Minutes of the SNMP Security Implementors' BOF (SNMPSECI) A BOF session for SNMP Security Implementors was held during the Boston IETF meeting on July 13, 1992. The BOF's purpose was to allow implementors to share their implementation experiences. The meeting was Chaired by Keith McCloghrie. Jim Galvin sent his apologies for not being able to attend. The meeting began with a review of the status of SNMP Security: o RFCs 1351, 1352, 1353 have been published with Proposed Internet Standard status, o The RFCs have lots of editorial changes from the Internet Drafts which the Working Group had approved, but o The only change affecting implementations was the assignment of OBJECT IDENTIFIERs under the mib-2 branch. After reviewing the status, the meeting was opened to questions and comments from the attendees. An informal poll of the audience indicated that at least six implementations of secure SNMP existed. The discussion topics included: o Export issues o Clock synchronization o Access control granularity o MD5/DES performance overhead o BER encoding o Relation to SMP o ``Next steps'' for the RFCs. During the discussion of export issues, some (second-hand) information was presented on a proposal being considered by NIST for an ``improved'' process for U.S. export control of cryptography. The discussion on clock synchronization raised the issue of how SNMP Security relates to the recent SMP specification, since a change to clock synchronization is proposed by the SMP specification. Thus, each of the changes to SNMP Security being proposed as part of SMP were presented. In particular, in the area of clock synchronization, SMP simplifies the algorithm by including both the destination party's clock as well as the source party's clock in the authInfo structure of a message; this removes the need for a SetRequest to be issued (in the ``case 1'' scenario described in RFC 1352). Another suggestion 1 concerning clock synchronization was the use of automatic, ``on the fly'' synchronization of clocks whenever an application requests a message be sent to an agent which it hasn't recently communicated with. In other discussions, the impact on performing access control on MIB views with instance-level granularity was discussed, particularly the performance aspects of it. Performance was also discussed in regard to the overhead of MD5 and DES. Feedback from newer implementations was compared to previously known information, and was found to be within the same ballpark. David Partain's article in the July issue of ``The Simple Times'' was mentioned as a source of more information. One implementor indicated that differences in BER encodings by different implementation could cause problems. The authDigest value calculated on the SnmpAuthMessage by the receiving entity has to match the authDigest value contained in the message when these values are compared during authentication processing. In particular, ISO 8825 allows multiple valid encodings of a length field. Thus, the receiving entity must not perform an independent BER serialization/encoding, but must use the same serialized value as it received. Not only is this necessary but it can also be beneficial, since it allows implementors to minimize the number of times BER encodings are performed in their code. Several attendees raised questions on the ``next steps'' for secure SNMP in light of the changes outlined in the SMP documents. There were questions on whether the SNMP Security RFCs would be updated and when. Additionally, there were questions on whether implementors should ``hold off'' on implementing SNMP Security until the status of SMP/SNMP II was known. Attendess were urged to participate in the SMP BOF scheduled for later in the week where these issues would be discussed. Attendees Steve Alexander stevea@i88.isc.com David Arneson arneson@ctron.com Jim Barnes barnes@xylogics.com Andy Bierman bierman@davidsys.com Tom Brennan David Bridgham dab@epilogue.com Theodore Brunner tob@thumper.bellcore.com Lida Carrier lida@apple.com Robert Ching natadm!rching@uunet.uu.net Chris Chiotasso chris@artel.com Tracy Cox tacox@sabre.bellcore.com Cathy Cunningham cmc@microcom.com James Davin jrd@ptt.lcs.mit.edu Michael Davison davison@cs.utk.edu David Engel david@ods.com Michael Erlinger mike@lexcel.com Rob Graham robert_graham@protools.com Pria Graves priag@nsd.3com.com 2 Jeff Hughes jeff@col.hp.com Ronald Jacoby rj@sgi.com Frank Kastenholz kasten@ftp.com Nick Kawaguchi mamster@lanai.cs.ucla.edu Mark Kepke mak@cnd.hp.com Kenneth Key key@cs.utk.edu Deidre Kostick dck2@sabre.bellcore.com Hock-Koon Lim lim@po.cwru.edu John Linn linn@erlang.enet.dec.com Arun Mahajan axm@proteon.com Kent Malave kent@chang.austin.ibm.com Kim Mayton mayton@wg.com Keith McCloghrie kzm@hls.com Thomas McGinty mcginty_t*corp_m@msm.cdx.mot.com John McKenna mckenna@ralvm12.vnet.ibm.com David Minnich dwm@fibercom.com Lynn Monsanto monsanto@sun.com Paul Moran Paul_Moran@3com.com Rina Nathaniel rina!rnd!rndi@uunet.uu.net Sam Nicholson scion@pblx.knox.tn.us Bill Norton wbn@merit.edu Steven Onishi sonishi@wellfleet.com Andrew Patka apatka@wellfleet.com John Payne jop@wang.com David Perkins dperkins@synoptics.com Richard Ramos ramos@mtunm.att.com Ed Reeder EREEDER@ralvm12.vnet.ibm.com Sam Roberts sroberts@farallon.com Dan Romascanu dan@lannet.com Marshall Rose mrose@dbc.mtview.ca.us Michael Sapich sapich@conware.de Koichiro Seto seto@hitachi-cable.co.jp Timon Sloane peernet!timon@uunet.uu.net Einar Stefferud stefisoc@nma.com= Mark Therieau markt@python.eng.microcom.com Dean Throop throop@dg-rtp.dg.com Stephen Tsun snt@nsd.3com.com Ahmet Tuncay atuncay@synoptics.com Dono van-Mierop dono_van_mierop@3mail.3com.com Huyen Vu vi@polaris.disa.mil David Waitzman djw@bbn.com Gerard White Steven Wong wong@took.enet.dec.com Honda Wu natadm!honda@uunet.uu.net Kiho Yum kxy@nsd.3com.com Joseph Zur zur@fibhaifa.com 3