Re: [IPsec] FW: I-D ACTION:draft-ietf-storm-ipsec-ips-update-00.txt
"Black, David" <david.black@emc.com> Thu, 06 June 2013 21:07 UTC
Return-Path: <david.black@emc.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0A75D11E8121 for <ipsec@ietfa.amsl.com>; Thu, 6 Jun 2013 14:07:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FS8mtuSM3Ax8 for <ipsec@ietfa.amsl.com>; Thu, 6 Jun 2013 14:07:42 -0700 (PDT)
Received: from mexforward.lss.emc.com (hop-nat-141.emc.com [168.159.213.141]) by ietfa.amsl.com (Postfix) with ESMTP id 308D611E8120 for <ipsec@ietf.org>; Thu, 6 Jun 2013 14:07:41 -0700 (PDT)
Received: from hop04-l1d11-si01.isus.emc.com (HOP04-L1D11-SI01.isus.emc.com [10.254.111.54]) by mexforward.lss.emc.com (Switch-3.4.3/Switch-3.4.3) with ESMTP id r56L7V2q020856 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 6 Jun 2013 17:07:38 -0400
Received: from mailhub.lss.emc.com (mailhubhoprd03.lss.emc.com [10.254.221.145]) by hop04-l1d11-si01.isus.emc.com (RSA Interceptor); Thu, 6 Jun 2013 17:07:15 -0400
Received: from mxhub24.corp.emc.com (mxhub24.corp.emc.com [128.222.70.136]) by mailhub.lss.emc.com (Switch-3.4.3/Switch-3.4.3) with ESMTP id r56L7FYD021111; Thu, 6 Jun 2013 17:07:15 -0400
Received: from mx15a.corp.emc.com ([169.254.1.184]) by mxhub24.corp.emc.com ([128.222.70.136]) with mapi; Thu, 6 Jun 2013 17:07:14 -0400
From: "Black, David" <david.black@emc.com>
To: Yaron Sheffer <yaronf.ietf@gmail.com>
Date: Thu, 06 Jun 2013 17:07:13 -0400
Thread-Topic: [IPsec] FW: I-D ACTION:draft-ietf-storm-ipsec-ips-update-00.txt
Thread-Index: Ac5i+L8IHdC5MI9GQIqqdfI73esrMQAAHueQ
Message-ID: <8D3D17ACE214DC429325B2B98F3AE712980CA062@MX15A.corp.emc.com>
References: <8D3D17ACE214DC429325B2B98F3AE712980C9E82@MX15A.corp.emc.com> <51B021E1.102@gmail.com> <8D3D17ACE214DC429325B2B98F3AE712980C9F2C@MX15A.corp.emc.com> <51B0F811.1010602@gmail.com>
In-Reply-To: <51B0F811.1010602@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-EMM-MHVC: 1
Cc: IPsecme WG <ipsec@ietf.org>
Subject: Re: [IPsec] FW: I-D ACTION:draft-ietf-storm-ipsec-ips-update-00.txt
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Jun 2013 21:07:47 -0000
Hi Yaron, > > I left the must-implement DH groups to the underlying IPsec specs; is it > > important to repeat that here? > > I suggest that you add something like: Requirements for DH groups and > PRF are as specified in RFC 4109 (for IKEv1), RFC 4307 (for IKEv2) or > any documents updating them. (That's assuming your implementers can > navigate our must-minuses and should-pluses :-) Sure, I'll do that. > > For no DH group, see IKEv1 Quick Mode without perfect forward secrecy, > > and I need to add a sentence requiring PFS to be implemented for that case. > > Text suggestions are welcome. > > Now I'm confused: we're using DH in Quick Mode (and IKEv2 CCSA) if we > want PFS. So what do you mean? Sorry, I mixed two separate concepts in one sentence: - Quick mode can be used without DH when there's no key exchange and hence no PFS. That's the case in which there may be no DH involved in an IKEv1-based SA setup. - Independent of that observation, RFC 3723 contains a "MUST implement" requirement for IKEv1 PFS that ought to be repeated in this draft. I'll add that, but note that it's not a "MUST use" requirement. Thanks, --David > -----Original Message----- > From: Yaron Sheffer [mailto:yaronf.ietf@gmail.com] > Sent: Thursday, June 06, 2013 4:59 PM > To: Black, David > Cc: IPsecme WG > Subject: Re: [IPsec] FW: I-D ACTION:draft-ietf-storm-ipsec-ips-update-00.txt > > Hi David, > > please see follow up comments below. > > Thanks, > Yaron > > On 2013-06-06 15:33, Black, David wrote: > > Hi Yaron, > > > > Thank you for the quick review. > > > >> * The ref for AES-GMAC is RFC 3543, should be 4543. > > > > That's embarrassing - not just off-by-1, but off-by-1000 :-). > > I will definitely fix that in the -01. > > > >> * 2.1: AES-GMAC and not AES-GCM? Authentication but no encryption? > >> * The separation of GMAC and CTR, when we really want the combined-mode > >> GCM, is very confusing. > > > > See the end of 2.2. AES CTR changes from MAY to SHOULD, and there's a > SHOULD > > for AES GCM. I'll add a sentence after the two bullets at the start of 2.2 > > to make it clear that both requirements are being changed. > > > >> * 3: why no must-implement DH group? Also, "when DH groups are used" - > >> are there any cases when they're not? > > > > I left the must-implement DH groups to the underlying IPsec specs; is it > > important to repeat that here? > > I suggest that you add something like: Requirements for DH groups and > PRF are as specified in RFC 4109 (for IKEv1), RFC 4307 (for IKEv2) or > any documents updating them. (That's assuming your implementers can > navigate our must-minuses and should-pluses :-) > > > > > For no DH group, see IKEv1 Quick Mode without perfect forward secrecy, > > and I need to add a sentence requiring PFS to be implemented for that case. > > Text suggestions are welcome. > > Now I'm confused: we're using DH in Quick Mode (and IKEv2 CCSA) if we > want PFS. So what do you mean? > > > > >> * 3.1: I would expect a discussion here about correlation between IKE > >> identity and the application protocol. E.g. are target names used as > >> IKEv2 ID values? This probably makes more sense when iSCSI discovery is > >> being used. > > > > That belongs in an iSCSI-specific doc; this draft is generic to a number > > of IP Storage protocols - e.g., iSCSI, FCIP, iFCP. > > > >> * 3.1: (shameless plug...) instead of certs, PACE with an automatically > >> generated PSK would be so much more convenient... See RFC 6631, Sec. > >> 3.5+3.6. But of course it is only experimental, sigh. > > > > Plug noted ;-). Independently, FWIW, if there had not been IPR > complications > > at the time, SRP would have been the mandatory-to-implement inband > > authentication mechanism for iSCSI (in the main iSCSI doc, not here). > > I'm really tempted to go into a lengthy discussion of PAKE and IPR, but > I'd rather not spam this list. > > > > > Thanks, > > --David > > > > > >> -----Original Message----- > >> From: Yaron Sheffer [mailto:yaronf.ietf@gmail.com] > >> Sent: Thursday, June 06, 2013 1:45 AM > >> To: Black, David > >> Cc: IPsecme WG > >> Subject: Re: [IPsec] FW: I-D ACTION:draft-ietf-storm-ipsec-ips-update- > 00.txt > >> > >> Hi David, > >> > >> * The ref for AES-GMAC is RFC 3543, should be 4543. > >> * 2.1: AES-GMAC and not AES-GCM? Authentication but no encryption? > >> * The separation of GMAC and CTR, when we really want the combined-mode > >> GCM, is very confusing. > >> * 3: why no must-implement DH group? Also, "when DH groups are used" - > >> are there any cases when they're not? > >> * 3.1: I would expect a discussion here about correlation between IKE > >> identity and the application protocol. E.g. are target names used as > >> IKEv2 ID values? This probably makes more sense when iSCSI discovery is > >> being used. > >> * 3.1: (shameless plug...) instead of certs, PACE with an automatically > >> generated PSK would be so much more convenient... See RFC 6631, Sec. > >> 3.5+3.6. But of course it is only experimental, sigh. > >> > >> Thanks, > >> Yaron > >> > >> On 2013-06-05 23:30, Black, David wrote: > >>> FYI - this draft is likely to move fairly quickly, with both > >>> WG Last Call and the publication request that hands off draft from > >>> the WG to the AD happening before the Berlin IETF meetings. > >>> > >>> WG Last Call in the storm WG is expected to start next week. > >>> > >>> Thanks, > >>> --David > >>> > >>> -----Original Message----- > >>> From: i-d-announce-bounces@ietf.org [mailto:i-d-announce-bounces@ietf.org] > >> On Behalf Of Internet-Drafts@ietf.org > >>> Sent: Wednesday, June 05, 2013 3:51 PM > >>> To: i-d-announce@ietf.org > >>> Cc: storm@ietf.org > >>> Subject: I-D ACTION:draft-ietf-storm-ipsec-ips-update-00.txt > >>> > >>> A new Internet-Draft is available from the on-line Internet-Drafts > >> directories. > >>> This draft is a work item of the STORage Maintenance Working Group of the > >> IETF. > >>> > >>> Title : IP Storage: IPsec Requirements Update for IPsec v3 > >>> Author(s) : D. Black, et al > >>> Filename : draft-ietf-storm-ipsec-ips-update > >>> Pages : 13 > >>> Date : June 5, 2013 > >>> > >>> RFC 3723 includes requirements for IPsec usage with IP Storage > >>> protocols (e.g., iSCSI) based on IPsec v2 (RFC 2401 and related > >>> RFCs). This document updates those requirements to IPsec v3 (RFC > >>> 4301 and related RFCs) and updates implementation requirements to > >>> reflect developments in cryptography since RFC 3723 was published. > >>> > >>> [RFC Editor: The "Updates:" list above has been truncated > by > >> xml2rfc. > >>> The complete list is - Updates: 3720, 3723, 3821, 3822, 4018, 4172, > >>> 4173, 4174, 5040, 5041, 5042, 5043, 5044, 5045, 5046, 5047, 5048 (if > >>> approved) ] > >>> > >>> A URL for this Internet-Draft is: > >>> http://www.ietf.org/internet-drafts/draft-ietf-storm-ipsec-ips-update- > 00.txt > >>> > >>> Internet-Drafts are also available by anonymous FTP at: > >>> ftp://ftp.ietf.org/internet-drafts/ > >>> > >>> Below is the data which will enable a MIME compliant mail reader > >>> implementation to automatically retrieve the ASCII version of the > >>> Internet-Draft. > >>> > >>> > >>> > >>> _______________________________________________ > >>> IPsec mailing list > >>> IPsec@ietf.org > >>> https://www.ietf.org/mailman/listinfo/ipsec > >>> > >
- [IPsec] FW: I-D ACTION:draft-ietf-storm-ipsec-ips… Black, David
- Re: [IPsec] FW: I-D ACTION:draft-ietf-storm-ipsec… Yaron Sheffer
- Re: [IPsec] FW: I-D ACTION:draft-ietf-storm-ipsec… Black, David
- Re: [IPsec] FW: I-D ACTION:draft-ietf-storm-ipsec… Yaron Sheffer
- Re: [IPsec] FW: I-D ACTION:draft-ietf-storm-ipsec… Black, David