CURRENT_MEETING_REPORT_ Reported by Marcus Leech/Bell Northern Research Minutes of the Authenticated Firewall Traversal Working Group (AFT) The AFT Working Group held one session on Thursday, 8 December. UDP The issue of UDP fragmentation was discussed. This issue has to do with SOCKS protocol headers being prefixed to a UDP datagram, and the resulting datagram being too large to fit whatever OS buffers are allocated by the application. One proposal was to have support in the protocol and implementation for UDP-level fragmentation. After some discussion, it was concluded that this was not a protocol issue, but rather an implementation one. The implementation may detect the case where the combination of SOCKS header and application data exceeds the size of UDP buffer offered by the OS, and simply ask for more buffer space on behalf of the application. Perry Metzger pointed out that the UDP encapsulation is unnecessarily bulky, with unnecessary replication of authentication information in the header. Perry will submit details to the mailing list about a proposal to deal with this issue. SOCKS V5 Several clarifications of the existing SOCKS V5 draft were discussed, including typos in the description of the encryption payload. It was also pointed out that support for IP 'V5' addresses is meaningless and should be dropped. General consensus was reached that the authentication portion of the protocol needs more review, and that specific emphasis should be put on finding both near and long-term solutions. A list of requirements for such and authentication protocol was generated, with general agreement that there be more discussion on the mailing list. The following list of requirements was generated: o Authentication/privacy must be negotiable with regard to parameters and mechanisms. o There should be a baseline method that all conforming implementations must support. o Other mechanisms must be negotiable in place of the baseline mechanism, where other mechanisms exist. o The baseline method chosen must be deployable in the near-term, and so must use an existing or about-to-mature technology. o The mechanism(s) chosen must be secure. There was general consensus that GSSAPI should be investigated as a baseline mechanism, with support for the IPKM protocol, when it emerges. Piers McMahon will post some details of GSSAPI, and its relevance to SOCKS to the mailing list. There was general consensus that there needs to be more firewall-to-firewall scenario discussion in the Internet-Draft, and that the issues that firewall-to-firewall raises should be discussed on the mailing list.