[secdir] (Security sections) SecDir and AppsDir review of draft-ietf-storm-iscsi-cons-06

Mallikarjun Chadalapaka <cbm@chadalapaka.com> Tue, 09 October 2012 03:44 UTC

Return-Path: <cbm@chadalapaka.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 4558F21F86EE; Mon, 8 Oct 2012 20:44:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.656
X-Spam-Status: No, score=-3.656 tagged_above=-999 required=5 tests=[AWL=-0.057, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id VKYn6wyAETge; Mon, 8 Oct 2012 20:44:00 -0700 (PDT)
Received: from am1outboundpool.messaging.microsoft.com (am1ehsobe001.messaging.microsoft.com []) by ietfa.amsl.com (Postfix) with ESMTP id 33CBB21F86DD; Mon, 8 Oct 2012 20:44:00 -0700 (PDT)
Received: from mail67-am1-R.bigfish.com ( by AM1EHSOBE008.bigfish.com ( with Microsoft SMTP Server id; Tue, 9 Oct 2012 03:43:59 +0000
Received: from mail67-am1 (localhost []) by mail67-am1-R.bigfish.com (Postfix) with ESMTP id 24C30600AB; Tue, 9 Oct 2012 03:43:59 +0000 (UTC)
X-Forefront-Antispam-Report: CIP:; KIP:(null); UIP:(null); IPV:NLI; H:BL2PRD0610HT004.namprd06.prod.outlook.com; RD:none; EFVD:NLI
X-SpamScore: -1
X-BigFish: PS-1(zz1432Izz1202h1d1ah1d2ahzzz2fh2a8h668h839h944hd25hf0ah107ah1220h1288h12a5h12a9h12bdh137ah13b6h1441h1155h)
Received-SPF: pass (mail67-am1: domain of chadalapaka.com designates as permitted sender) client-ip=; envelope-from=cbm@chadalapaka.com; helo=BL2PRD0610HT004.namprd06.prod.outlook.com ; .outlook.com ;
Received: from mail67-am1 (localhost.localdomain []) by mail67-am1 (MessageSwitch) id 1349754236179489_6819; Tue, 9 Oct 2012 03:43:56 +0000 (UTC)
Received: from AM1EHSMHS006.bigfish.com (unknown []) by mail67-am1.bigfish.com (Postfix) with ESMTP id 2009C20004F; Tue, 9 Oct 2012 03:43:56 +0000 (UTC)
Received: from BL2PRD0610HT004.namprd06.prod.outlook.com ( by AM1EHSMHS006.bigfish.com ( with Microsoft SMTP Server (TLS) id; Tue, 9 Oct 2012 03:43:55 +0000
Received: from BL2PRD0610MB361.namprd06.prod.outlook.com ([]) by BL2PRD0610HT004.namprd06.prod.outlook.com ([]) with mapi id 14.16.0207.009; Tue, 9 Oct 2012 03:43:32 +0000
From: Mallikarjun Chadalapaka <cbm@chadalapaka.com>
To: Alexey Melnikov <alexey.melnikov@isode.com>, "secdir@ietf.org" <secdir@ietf.org>, "draft-ietf-storm-iscsi-cons.all@tools.ietf.org" <draft-ietf-storm-iscsi-cons.all@tools.ietf.org>, "iesg@ietf.org" <iesg@ietf.org>
Thread-Topic: (Security sections) SecDir and AppsDir review of draft-ietf-storm-iscsi-cons-06
Thread-Index: Ac2lzsXPBS9OBtwqStSh6+tbLAcd7A==
Date: Tue, 9 Oct 2012 03:43:32 +0000
Message-ID: <E160851FCED17643AE5F53B5D4D0783A4C411CA2@BL2PRD0610MB361.namprd06.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: chadalapaka.com
X-Mailman-Approved-At: Thu, 11 Oct 2012 07:49:56 -0700
Subject: [secdir] (Security sections) SecDir and AppsDir review of draft-ietf-storm-iscsi-cons-06
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Oct 2012 03:44:01 -0000

Hi Alexey, here are the responses to your comments specific to security sections of iSCSI consolidated draft - actually, I am deferring mostly to Julian and David who are better suited than me to comment on this area, :-)


> In 9.3.1:
> - HMAC-SHA1 MUST be implemented [RFC2404].
> RFC 2404 seems to define HMAC-SHA-1-96, not HMAC-SHA1.
[Mallikarjun:] That is true. I do not know the reason for this citing. Julian/David?

I also found it interesting that the abstract for 2404 itself does not use the "96" qualifier.

> 9.3.2. Confidentiality
>    The NULL encryption algorithm MUST also be implemented.
> I find it odd that the section talks about how weak DES is and then
> requires NULL encryption to be supported. What is the reason for this?

 [Mallikarjun:] IIRC, I *think* this was because we wanted implementations to be able to use the authentication/MAC of IPSec suite, without forcing them always to use encryption. David, can you please add/correct?

> 9.3.3. Policy, Security Associations, and Cryptographic Key
>          Management
>       - When digital signatures are used to achieve authentication,
>         an IKE negotiator SHOULD use IKE Certificate Request
>         Payload(s) to specify the certificate authority. IKE
>         negotiators SHOULD check the pertinent Certificate
>         Revocation List (CRL) before accepting a PKI certificate for
>         use in IKE authentication procedures.
> What are the reasons for these requirements being SHOULD level (as
> opposed to MUST level)?
>    - The following identification type requirements apply to IKEv1.
>      ID_IPV4_ADDR, ID_IPV6_ADDR (if the protocol stack supports
>      IPv6) and ID_FQDN Identification Types MUST be supported;
>      ID_USER_FQDN SHOULD be supported. The IP Subnet, IP Address
>      Range, ID_DER_ASN1_DN, and ID_DER_ASN1_GN Identification Types
>      SHOULD NOT be used. The ID_KEY_ID Identification Type MUST NOT
>      be used.
> It would be good to know the reason for the last SHOULD NOT and the last

 [Mallikarjun:] I will defer to Julian and David on these.