CURRENT_MEETING_REPORT_ Reported by John Vollbrecht/Merit Network and Allan Rubens/Merit Network Minutes of the Network Access Server Requirements Working Group (NASREQ) The NASREQ Working Group met on Tuesday, November 2. There was a brief review of the rationale for NAS/helper separation and Steve Willens walked through the proposed RADIUS protocol document that could be used to support this separation. Steve provided copies of the document which will be updated and submitted as an Internet-Draft. There was a lot of discussion about the document. The general consensus was that it was a good idea to have such a protocol, that the protocol met a number of needs, and it should eventually be submitted for consideration as an RFC. Some of the issues raised were: o Security: An MD5 hashing algorithm is used to hide the password. It was suggested that this might not be a good mechanism, and that it might not be exportable. It is not known where to get answers to these issues. Secrets shared between NAS and RADIUS server are configured rather than obtained from a authentication server. It was suggested was that this could be done either way, depending on whether the NAS is able to do Kerberos. o Extensibility: A lot of discussion concerned whether parameters should be identified with ASCII strings or numeric IDs. This discussion will presumably continue on the mailing list. o TCP versus UDP: A suggestion was made that the protocol should be built on TCP rather than UDP. This will be considered more on the mailing list, but consensus seemed to favor TCP. o Downloadable filters: Filters should be dynamically settable. o Other: The text of the document needs to clarify which attributes belong together, which are sent by the NAS, and which are returned by the RADIUS server. May want to be able to send an arbitrary string to be interpreted by the command interpreter in the NAS. A very brief presentation of distributed authentication was presented as a possible future subject for the working group to consider. This was discussed further in the Security Area Advisory Group (SAAG) meeting on Thursday and we agreed to have this discussion at the first SAAG meeting in Seattle. We discussed changing the charter of the group and the following elements were described as a possible direction: o Finish the NAS Requirements document and submit it for consideration as an Informational RFC following the Seattle IETF. We need volunteers to work on pieces of the document. o Revise the RADIUS protocol definition and submit it for consideration as an RFC after review at the Seattle IETF. o Move KAP/PKAP to the Point-to-Point Protocol Extensions Working Group (PPPEXT) and/or to a working group in the Security Area. The group that it might go to in the Security Area is under discussion. o Focus the attention of the group on distributed authentication in support of shared dialin between organizations. This will likely have other implications and should have significant support from security area folks to be successful. Attendees Nick Alfano alfano@mpr.ca Jim Barnes barnes@xylogics.com Larry Blunk ljb@merit.edu Cheng Chen chen@accessworks.com Blair Copland copland@unt.edu Robert Downs bdowns@combinet.com Antonio Fernandez afa@thumper.bellcore.com Jisoo Geiter geiter@mitre.org Mei-Jean Goh goh@mpr.ca Chris Gorsuch chrisg@lobby.ti.com Marco Hernandez marco@cren.net Matt Hood hood@nsipo.nasa.gov John Linn linn@security.ov.com Brian Lloyd brian@lloyd.com Glenn McGregor ghm@lloyd.com Piers McMahon p.v.mcmahon@rea0803.wins.icl.co.uk Michael Michnikov mbmg@mitre.org Bob Morgan morgan@networking.stanford.edu Michael O'Dell mo@uunet.uu.net Rakesh Patel rapatel@pilot.njin.net Allan Rubens acr@merit.edu William Simpson Bill.Simpson@um.cc.umich.edu Dave Solo solo@bbn.com Don Stephenson don.stephenson@sun.com Theodore Ts'o tytso@mit.edu Raymond Vega rvega@cicese.mx John Vollbrecht jrv@merit.edu Steve Willens steve@livingston.com