Re: [IPsec] FW: I-D ACTION:draft-ietf-storm-ipsec-ips-update-00.txt
"Black, David" <david.black@emc.com> Thu, 06 June 2013 12:33 UTC
Return-Path: <david.black@emc.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 66C1121F947C for <ipsec@ietfa.amsl.com>; Thu, 6 Jun 2013 05:33:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id J8t826MF8gK2 for <ipsec@ietfa.amsl.com>; Thu, 6 Jun 2013 05:33:32 -0700 (PDT)
Received: from mexforward.lss.emc.com (hop-nat-141.emc.com [168.159.213.141]) by ietfa.amsl.com (Postfix) with ESMTP id 8E56F21F94DC for <ipsec@ietf.org>; Thu, 6 Jun 2013 05:33:31 -0700 (PDT)
Received: from hop04-l1d11-si01.isus.emc.com (HOP04-L1D11-SI01.isus.emc.com [10.254.111.54]) by mexforward.lss.emc.com (Switch-3.4.3/Switch-3.4.3) with ESMTP id r56CXPcA020984 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 6 Jun 2013 08:33:28 -0400
Received: from mailhub.lss.emc.com (mailhubhoprd06.lss.emc.com [10.254.222.130]) by hop04-l1d11-si01.isus.emc.com (RSA Interceptor); Thu, 6 Jun 2013 08:33:02 -0400
Received: from mxhub06.corp.emc.com (mxhub06.corp.emc.com [128.222.70.203]) by mailhub.lss.emc.com (Switch-3.4.3/Switch-3.4.3) with ESMTP id r56CX2Su008837; Thu, 6 Jun 2013 08:33:02 -0400
Received: from mx15a.corp.emc.com ([169.254.1.184]) by mxhub06.corp.emc.com ([128.222.70.203]) with mapi; Thu, 6 Jun 2013 08:33:01 -0400
From: "Black, David" <david.black@emc.com>
To: Yaron Sheffer <yaronf.ietf@gmail.com>
Date: Thu, 06 Jun 2013 08:33:03 -0400
Thread-Topic: [IPsec] FW: I-D ACTION:draft-ietf-storm-ipsec-ips-update-00.txt
Thread-Index: Ac5ighxG/Zo5PCTcQnC9hSaqBAPKuAALgihQ
Message-ID: <8D3D17ACE214DC429325B2B98F3AE712980C9F2C@MX15A.corp.emc.com>
References: <8D3D17ACE214DC429325B2B98F3AE712980C9E82@MX15A.corp.emc.com> <51B021E1.102@gmail.com>
In-Reply-To: <51B021E1.102@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-EMM-MHVC: 1
Cc: IPsecme WG <ipsec@ietf.org>, "Black, David" <david.black@emc.com>
Subject: Re: [IPsec] FW: I-D ACTION:draft-ietf-storm-ipsec-ips-update-00.txt
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Jun 2013 12:33:37 -0000
Hi Yaron, Thank you for the quick review. > * The ref for AES-GMAC is RFC 3543, should be 4543. That's embarrassing - not just off-by-1, but off-by-1000 :-). I will definitely fix that in the -01. > * 2.1: AES-GMAC and not AES-GCM? Authentication but no encryption? > * The separation of GMAC and CTR, when we really want the combined-mode > GCM, is very confusing. See the end of 2.2. AES CTR changes from MAY to SHOULD, and there's a SHOULD for AES GCM. I'll add a sentence after the two bullets at the start of 2.2 to make it clear that both requirements are being changed. > * 3: why no must-implement DH group? Also, "when DH groups are used" - > are there any cases when they're not? I left the must-implement DH groups to the underlying IPsec specs; is it important to repeat that here? For no DH group, see IKEv1 Quick Mode without perfect forward secrecy, and I need to add a sentence requiring PFS to be implemented for that case. Text suggestions are welcome. > * 3.1: I would expect a discussion here about correlation between IKE > identity and the application protocol. E.g. are target names used as > IKEv2 ID values? This probably makes more sense when iSCSI discovery is > being used. That belongs in an iSCSI-specific doc; this draft is generic to a number of IP Storage protocols - e.g., iSCSI, FCIP, iFCP. > * 3.1: (shameless plug...) instead of certs, PACE with an automatically > generated PSK would be so much more convenient... See RFC 6631, Sec. > 3.5+3.6. But of course it is only experimental, sigh. Plug noted ;-). Independently, FWIW, if there had not been IPR complications at the time, SRP would have been the mandatory-to-implement inband authentication mechanism for iSCSI (in the main iSCSI doc, not here). Thanks, --David > -----Original Message----- > From: Yaron Sheffer [mailto:yaronf.ietf@gmail.com] > Sent: Thursday, June 06, 2013 1:45 AM > To: Black, David > Cc: IPsecme WG > Subject: Re: [IPsec] FW: I-D ACTION:draft-ietf-storm-ipsec-ips-update-00.txt > > Hi David, > > * The ref for AES-GMAC is RFC 3543, should be 4543. > * 2.1: AES-GMAC and not AES-GCM? Authentication but no encryption? > * The separation of GMAC and CTR, when we really want the combined-mode > GCM, is very confusing. > * 3: why no must-implement DH group? Also, "when DH groups are used" - > are there any cases when they're not? > * 3.1: I would expect a discussion here about correlation between IKE > identity and the application protocol. E.g. are target names used as > IKEv2 ID values? This probably makes more sense when iSCSI discovery is > being used. > * 3.1: (shameless plug...) instead of certs, PACE with an automatically > generated PSK would be so much more convenient... See RFC 6631, Sec. > 3.5+3.6. But of course it is only experimental, sigh. > > Thanks, > Yaron > > On 2013-06-05 23:30, Black, David wrote: > > FYI - this draft is likely to move fairly quickly, with both > > WG Last Call and the publication request that hands off draft from > > the WG to the AD happening before the Berlin IETF meetings. > > > > WG Last Call in the storm WG is expected to start next week. > > > > Thanks, > > --David > > > > -----Original Message----- > > From: i-d-announce-bounces@ietf.org [mailto:i-d-announce-bounces@ietf.org] > On Behalf Of Internet-Drafts@ietf.org > > Sent: Wednesday, June 05, 2013 3:51 PM > > To: i-d-announce@ietf.org > > Cc: storm@ietf.org > > Subject: I-D ACTION:draft-ietf-storm-ipsec-ips-update-00.txt > > > > A new Internet-Draft is available from the on-line Internet-Drafts > directories. > > This draft is a work item of the STORage Maintenance Working Group of the > IETF. > > > > Title : IP Storage: IPsec Requirements Update for IPsec v3 > > Author(s) : D. Black, et al > > Filename : draft-ietf-storm-ipsec-ips-update > > Pages : 13 > > Date : June 5, 2013 > > > > RFC 3723 includes requirements for IPsec usage with IP Storage > > protocols (e.g., iSCSI) based on IPsec v2 (RFC 2401 and related > > RFCs). This document updates those requirements to IPsec v3 (RFC > > 4301 and related RFCs) and updates implementation requirements to > > reflect developments in cryptography since RFC 3723 was published. > > > > [RFC Editor: The "Updates:" list above has been truncated by > xml2rfc. > > The complete list is - Updates: 3720, 3723, 3821, 3822, 4018, 4172, > > 4173, 4174, 5040, 5041, 5042, 5043, 5044, 5045, 5046, 5047, 5048 (if > > approved) ] > > > > A URL for this Internet-Draft is: > > http://www.ietf.org/internet-drafts/draft-ietf-storm-ipsec-ips-update-00.txt > > > > Internet-Drafts are also available by anonymous FTP at: > > ftp://ftp.ietf.org/internet-drafts/ > > > > Below is the data which will enable a MIME compliant mail reader > > implementation to automatically retrieve the ASCII version of the > > Internet-Draft. > > > > > > > > _______________________________________________ > > IPsec mailing list > > IPsec@ietf.org > > https://www.ietf.org/mailman/listinfo/ipsec > >
- [IPsec] FW: I-D ACTION:draft-ietf-storm-ipsec-ips… Black, David
- Re: [IPsec] FW: I-D ACTION:draft-ietf-storm-ipsec… Yaron Sheffer
- Re: [IPsec] FW: I-D ACTION:draft-ietf-storm-ipsec… Black, David
- Re: [IPsec] FW: I-D ACTION:draft-ietf-storm-ipsec… Yaron Sheffer
- Re: [IPsec] FW: I-D ACTION:draft-ietf-storm-ipsec… Black, David