[secdir] (Security sections) SecDir and AppsDir review of draft-ietf-storm-iscsi-cons-06
Mallikarjun Chadalapaka <cbm@chadalapaka.com> Tue, 09 October 2012 03:44 UTC
Return-Path: <cbm@chadalapaka.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4558F21F86EE; Mon, 8 Oct 2012 20:44:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.656
X-Spam-Level:
X-Spam-Status: No, score=-3.656 tagged_above=-999 required=5 tests=[AWL=-0.057, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VKYn6wyAETge; Mon, 8 Oct 2012 20:44:00 -0700 (PDT)
Received: from am1outboundpool.messaging.microsoft.com (am1ehsobe001.messaging.microsoft.com [213.199.154.204]) by ietfa.amsl.com (Postfix) with ESMTP id 33CBB21F86DD; Mon, 8 Oct 2012 20:44:00 -0700 (PDT)
Received: from mail67-am1-R.bigfish.com (10.3.201.243) by AM1EHSOBE008.bigfish.com (10.3.204.28) with Microsoft SMTP Server id 14.1.225.23; Tue, 9 Oct 2012 03:43:59 +0000
Received: from mail67-am1 (localhost [127.0.0.1]) by mail67-am1-R.bigfish.com (Postfix) with ESMTP id 24C30600AB; Tue, 9 Oct 2012 03:43:59 +0000 (UTC)
X-Forefront-Antispam-Report: CIP:157.56.240.117; KIP:(null); UIP:(null); IPV:NLI; H:BL2PRD0610HT004.namprd06.prod.outlook.com; RD:none; EFVD:NLI
X-SpamScore: -1
X-BigFish: PS-1(zz1432Izz1202h1d1ah1d2ahzzz2fh2a8h668h839h944hd25hf0ah107ah1220h1288h12a5h12a9h12bdh137ah13b6h1441h1155h)
Received-SPF: pass (mail67-am1: domain of chadalapaka.com designates 157.56.240.117 as permitted sender) client-ip=157.56.240.117; envelope-from=cbm@chadalapaka.com; helo=BL2PRD0610HT004.namprd06.prod.outlook.com ; .outlook.com ;
Received: from mail67-am1 (localhost.localdomain [127.0.0.1]) by mail67-am1 (MessageSwitch) id 1349754236179489_6819; Tue, 9 Oct 2012 03:43:56 +0000 (UTC)
Received: from AM1EHSMHS006.bigfish.com (unknown [10.3.201.225]) by mail67-am1.bigfish.com (Postfix) with ESMTP id 2009C20004F; Tue, 9 Oct 2012 03:43:56 +0000 (UTC)
Received: from BL2PRD0610HT004.namprd06.prod.outlook.com (157.56.240.117) by AM1EHSMHS006.bigfish.com (10.3.207.106) with Microsoft SMTP Server (TLS) id 14.1.225.23; Tue, 9 Oct 2012 03:43:55 +0000
Received: from BL2PRD0610MB361.namprd06.prod.outlook.com ([169.254.11.192]) by BL2PRD0610HT004.namprd06.prod.outlook.com ([10.255.101.39]) with mapi id 14.16.0207.009; Tue, 9 Oct 2012 03:43:32 +0000
From: Mallikarjun Chadalapaka <cbm@chadalapaka.com>
To: Alexey Melnikov <alexey.melnikov@isode.com>, "secdir@ietf.org" <secdir@ietf.org>, "draft-ietf-storm-iscsi-cons.all@tools.ietf.org" <draft-ietf-storm-iscsi-cons.all@tools.ietf.org>, "iesg@ietf.org" <iesg@ietf.org>
Thread-Topic: (Security sections) SecDir and AppsDir review of draft-ietf-storm-iscsi-cons-06
Thread-Index: Ac2lzsXPBS9OBtwqStSh6+tbLAcd7A==
Date: Tue, 09 Oct 2012 03:43:32 +0000
Message-ID: <E160851FCED17643AE5F53B5D4D0783A4C411CA2@BL2PRD0610MB361.namprd06.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [131.107.147.28]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: chadalapaka.com
X-Mailman-Approved-At: Thu, 11 Oct 2012 07:49:56 -0700
Subject: [secdir] (Security sections) SecDir and AppsDir review of draft-ietf-storm-iscsi-cons-06
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Oct 2012 03:44:01 -0000
Hi Alexey, here are the responses to your comments specific to security sections of iSCSI consolidated draft - actually, I am deferring mostly to Julian and David who are better suited than me to comment on this area, :-) Mallikarjun > > In 9.3.1: > > - HMAC-SHA1 MUST be implemented [RFC2404]. > > RFC 2404 seems to define HMAC-SHA-1-96, not HMAC-SHA1. [Mallikarjun:] That is true. I do not know the reason for this citing. Julian/David? I also found it interesting that the abstract for 2404 itself does not use the "96" qualifier. > > 9.3.2. Confidentiality > > The NULL encryption algorithm MUST also be implemented. > > I find it odd that the section talks about how weak DES is and then > requires NULL encryption to be supported. What is the reason for this? [Mallikarjun:] IIRC, I *think* this was because we wanted implementations to be able to use the authentication/MAC of IPSec suite, without forcing them always to use encryption. David, can you please add/correct? > > 9.3.3. Policy, Security Associations, and Cryptographic Key > Management > > - When digital signatures are used to achieve authentication, > an IKE negotiator SHOULD use IKE Certificate Request > Payload(s) to specify the certificate authority. IKE > negotiators SHOULD check the pertinent Certificate > Revocation List (CRL) before accepting a PKI certificate for > use in IKE authentication procedures. > > What are the reasons for these requirements being SHOULD level (as > opposed to MUST level)? > > - The following identification type requirements apply to IKEv1. > ID_IPV4_ADDR, ID_IPV6_ADDR (if the protocol stack supports > IPv6) and ID_FQDN Identification Types MUST be supported; > ID_USER_FQDN SHOULD be supported. The IP Subnet, IP Address > Range, ID_DER_ASN1_DN, and ID_DER_ASN1_GN Identification Types > SHOULD NOT be used. The ID_KEY_ID Identification Type MUST NOT > be used. > > It would be good to know the reason for the last SHOULD NOT and the last > MUST NOT. [Mallikarjun:] I will defer to Julian and David on these.
- Re: [secdir] (Security sections) SecDir and AppsD… Alexey Melnikov
- [secdir] (Security sections) SecDir and AppsDir r… Mallikarjun Chadalapaka
- Re: [secdir] (Security sections) SecDir and AppsD… Black, David