IETF Logo Mail Archive

Re: [IPsec] FW: I-D ACTION:draft-ietf-storm-ipsec-ips-update-00.txt

"Black, David" <david.black@emc.com> Thu, 06 June 2013 12:33 UTC

Return-Path: <david.black@emc.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 66C1121F947C for <ipsec@ietfa.amsl.com>; Thu, 6 Jun 2013 05:33:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id J8t826MF8gK2 for <ipsec@ietfa.amsl.com>; Thu, 6 Jun 2013 05:33:32 -0700 (PDT)
Received: from mexforward.lss.emc.com (hop-nat-141.emc.com [168.159.213.141]) by ietfa.amsl.com (Postfix) with ESMTP id 8E56F21F94DC for <ipsec@ietf.org>; Thu, 6 Jun 2013 05:33:31 -0700 (PDT)
Received: from hop04-l1d11-si01.isus.emc.com (HOP04-L1D11-SI01.isus.emc.com [10.254.111.54]) by mexforward.lss.emc.com (Switch-3.4.3/Switch-3.4.3) with ESMTP id r56CXPcA020984 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 6 Jun 2013 08:33:28 -0400
Received: from mailhub.lss.emc.com (mailhubhoprd06.lss.emc.com [10.254.222.130]) by hop04-l1d11-si01.isus.emc.com (RSA Interceptor); Thu, 6 Jun 2013 08:33:02 -0400
Received: from mxhub06.corp.emc.com (mxhub06.corp.emc.com [128.222.70.203]) by mailhub.lss.emc.com (Switch-3.4.3/Switch-3.4.3) with ESMTP id r56CX2Su008837; Thu, 6 Jun 2013 08:33:02 -0400
Received: from mx15a.corp.emc.com ([169.254.1.184]) by mxhub06.corp.emc.com ([128.222.70.203]) with mapi; Thu, 6 Jun 2013 08:33:01 -0400
From: "Black, David" <david.black@emc.com>
To: Yaron Sheffer <yaronf.ietf@gmail.com>
Date: Thu, 06 Jun 2013 08:33:03 -0400
Thread-Topic: [IPsec] FW: I-D ACTION:draft-ietf-storm-ipsec-ips-update-00.txt
Thread-Index: Ac5ighxG/Zo5PCTcQnC9hSaqBAPKuAALgihQ
Message-ID: <8D3D17ACE214DC429325B2B98F3AE712980C9F2C@MX15A.corp.emc.com>
References: <8D3D17ACE214DC429325B2B98F3AE712980C9E82@MX15A.corp.emc.com> <51B021E1.102@gmail.com>
In-Reply-To: <51B021E1.102@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-EMM-MHVC: 1
Cc: IPsecme WG <ipsec@ietf.org>, "Black, David" <david.black@emc.com>
Subject: Re: [IPsec] FW: I-D ACTION:draft-ietf-storm-ipsec-ips-update-00.txt
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Jun 2013 12:33:37 -0000

Hi Yaron,

Thank you for the quick review.

> * The ref for AES-GMAC is RFC 3543, should be 4543.

That's embarrassing - not just off-by-1, but off-by-1000 :-).
I will definitely fix that in the -01.

> * 2.1: AES-GMAC and not AES-GCM? Authentication but no encryption?
> * The separation of GMAC and CTR, when we really want the combined-mode
> GCM, is very confusing.

See the end of 2.2.  AES CTR changes from MAY to SHOULD, and there's a SHOULD
for AES GCM.  I'll add a sentence after the two bullets at the start of 2.2
to make it clear that both requirements are being changed.

> * 3: why no must-implement DH group? Also, "when DH groups are used" -
> are there any cases when they're not?

I left the must-implement DH groups to the underlying IPsec specs; is it
important to repeat that here?

For no DH group, see IKEv1 Quick Mode without perfect forward secrecy,
and I need to add a sentence requiring PFS to be implemented for that case.
Text suggestions are welcome.

> * 3.1: I would expect a discussion here about correlation between IKE
> identity and the application protocol. E.g. are target names used as
> IKEv2 ID values? This probably makes more sense when iSCSI discovery is
> being used.

That belongs in an iSCSI-specific doc; this draft is generic to a number
of IP Storage protocols - e.g., iSCSI, FCIP, iFCP.

> * 3.1: (shameless plug...) instead of certs, PACE with an automatically
> generated PSK would be so much more convenient... See RFC 6631, Sec.
> 3.5+3.6. But of course it is only experimental, sigh.

Plug noted ;-).  Independently, FWIW, if there had not been IPR complications
at the time, SRP would have been the mandatory-to-implement inband
authentication mechanism for iSCSI (in the main iSCSI doc, not here).

Thanks,
--David


> -----Original Message-----
> From: Yaron Sheffer [mailto:yaronf.ietf@gmail.com]
> Sent: Thursday, June 06, 2013 1:45 AM
> To: Black, David
> Cc: IPsecme WG
> Subject: Re: [IPsec] FW: I-D ACTION:draft-ietf-storm-ipsec-ips-update-00.txt
> 
> Hi David,
> 
> * The ref for AES-GMAC is RFC 3543, should be 4543.
> * 2.1: AES-GMAC and not AES-GCM? Authentication but no encryption?
> * The separation of GMAC and CTR, when we really want the combined-mode
> GCM, is very confusing.
> * 3: why no must-implement DH group? Also, "when DH groups are used" -
> are there any cases when they're not?
> * 3.1: I would expect a discussion here about correlation between IKE
> identity and the application protocol. E.g. are target names used as
> IKEv2 ID values? This probably makes more sense when iSCSI discovery is
> being used.
> * 3.1: (shameless plug...) instead of certs, PACE with an automatically
> generated PSK would be so much more convenient... See RFC 6631, Sec.
> 3.5+3.6. But of course it is only experimental, sigh.
> 
> Thanks,
> 	Yaron
> 
> On 2013-06-05 23:30, Black, David wrote:
> > FYI - this draft is likely to move fairly quickly, with both
> > WG Last Call and the publication request that hands off draft from
> > the WG to the AD happening before the Berlin IETF meetings.
> >
> > WG Last Call in the storm WG is expected to start next week.
> >
> > Thanks,
> > --David
> >
> > -----Original Message-----
> > From: i-d-announce-bounces@ietf.org [mailto:i-d-announce-bounces@ietf.org]
> On Behalf Of Internet-Drafts@ietf.org
> > Sent: Wednesday, June 05, 2013 3:51 PM
> > To: i-d-announce@ietf.org
> > Cc: storm@ietf.org
> > Subject: I-D ACTION:draft-ietf-storm-ipsec-ips-update-00.txt
> >
> > A new Internet-Draft is available from the on-line Internet-Drafts
> directories.
> > This draft is a work item of the STORage Maintenance Working Group of the
> IETF.
> >
> >      Title         : IP Storage: IPsec Requirements Update for IPsec v3
> >      Author(s)     : D. Black, et al
> >      Filename      : draft-ietf-storm-ipsec-ips-update
> >      Pages         : 13
> >      Date          : June 5, 2013
> >
> >     RFC 3723 includes requirements for IPsec usage with IP Storage
> >     protocols (e.g., iSCSI) based on IPsec v2 (RFC 2401 and related
> >     RFCs).  This document updates those requirements to IPsec v3 (RFC
> >     4301 and related RFCs) and updates implementation requirements to
> >     reflect developments in cryptography since RFC 3723 was published.
> >
> >     [RFC Editor: The &quot;Updates:&quot; list above has been truncated by
> xml2rfc.
> >     The complete list is - Updates: 3720, 3723, 3821, 3822, 4018, 4172,
> >     4173, 4174, 5040, 5041, 5042, 5043, 5044, 5045, 5046, 5047, 5048 (if
> >     approved) ]
> >
> > A URL for this Internet-Draft is:
> > http://www.ietf.org/internet-drafts/draft-ietf-storm-ipsec-ips-update-00.txt
> >
> > Internet-Drafts are also available by anonymous FTP at:
> > ftp://ftp.ietf.org/internet-drafts/
> >
> > Below is the data which will enable a MIME compliant mail reader
> > implementation to automatically retrieve the ASCII version of the
> > Internet-Draft.
> >
> >
> >
> > _______________________________________________
> > IPsec mailing list
> > IPsec@ietf.org
> > https://www.ietf.org/mailman/listinfo/ipsec
> >

v2.23.0 | Report a Bug | By Email