[storm] Two IPsec items - conclusion
"Black, David" <david.black@emc.com> Thu, 07 November 2013 19:06 UTC
Return-Path: <david.black@emc.com>
X-Original-To: storm@ietfa.amsl.com
Delivered-To: storm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 10ABA11E81B3 for <storm@ietfa.amsl.com>; Thu, 7 Nov 2013 11:06:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.253
X-Spam-Level:
X-Spam-Status: No, score=-102.253 tagged_above=-999 required=5 tests=[AWL=0.346, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1UACZswTd69N for <storm@ietfa.amsl.com>; Thu, 7 Nov 2013 11:06:44 -0800 (PST)
Received: from mailuogwhop.emc.com (mailuogwhop.emc.com [168.159.213.141]) by ietfa.amsl.com (Postfix) with ESMTP id E9D9821E81EE for <storm@ietf.org>; Thu, 7 Nov 2013 11:06:27 -0800 (PST)
Received: from maildlpprd05.lss.emc.com (maildlpprd05.lss.emc.com [10.253.24.37]) by mailuogwprd04.lss.emc.com (Sentrion-MTA-4.3.0/Sentrion-MTA-4.3.0) with ESMTP id rA7J6QsJ017338 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for <storm@ietf.org>; Thu, 7 Nov 2013 14:06:26 -0500
X-DKIM: OpenDKIM Filter v2.4.3 mailuogwprd04.lss.emc.com rA7J6QsJ017338
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=emc.com; s=jan2013; t=1383851186; bh=Dw7aYepFRJfY3WHr84ecmU0lPsY=; h=From:To:Date:Subject:Message-ID:Content-Type: Content-Transfer-Encoding:MIME-Version; b=gaKnuvz3zRl1JnpxbIb4TUQoc2nB/gypVRnl2leGxkH386q9mYlAR2CLSx5uKVRZM Oym9Tah/4KQTVV+oL3YWcwMFjQG+J5SAtC4z7hSNiCFnBQPfcbnpnpJt6N062QUKS1 3ju97CRoONF594pHHMfdRXdnTxbTNFRVOl17/rjI=
X-DKIM: OpenDKIM Filter v2.4.3 mailuogwprd04.lss.emc.com rA7J6QsJ017338
Received: from mailusrhubprd51.lss.emc.com (mailusrhubprd51.lss.emc.com [10.106.48.24]) by maildlpprd05.lss.emc.com (RSA Interceptor) for <storm@ietf.org>; Thu, 7 Nov 2013 11:06:12 -0800
Received: from mxhub07.corp.emc.com (mxhub07.corp.emc.com [128.222.70.204]) by mailusrhubprd51.lss.emc.com (Sentrion-MTA-4.3.0/Sentrion-MTA-4.3.0) with ESMTP id rA7J6Cdw032508 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL) for <storm@ietf.org>; Thu, 7 Nov 2013 14:06:12 -0500
Received: from mx15a.corp.emc.com ([169.254.1.239]) by mxhub07.corp.emc.com ([128.222.70.204]) with mapi; Thu, 7 Nov 2013 14:06:12 -0500
From: "Black, David" <david.black@emc.com>
To: "Black, David" <david.black@emc.com>, "storm@ietf.org" <storm@ietf.org>
Date: Thu, 07 Nov 2013 14:06:10 -0500
Thread-Topic: Two IPsec items - conclusion
Thread-Index: Ac7b7GtyJzC5U5EkRBWeXh87BDtiyA==
Message-ID: <8D3D17ACE214DC429325B2B98F3AE712026AAEC22B@MX15A.corp.emc.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Sentrion-Hostname: mailusrhubprd51.lss.emc.com
X-RSA-Classifications: public
Subject: [storm] Two IPsec items - conclusion
X-BeenThere: storm@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Storage Maintenance WG <storm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/storm>, <mailto:storm-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/storm>
List-Post: <mailto:storm@ietf.org>
List-Help: <mailto:storm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/storm>, <mailto:storm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Nov 2013 19:06:49 -0000
Having seen no comments on these two IPsec items (see below), absence of comments is being taken as absence of objections, so the rough consensus of the storm WG is that these changes are ok. The revised draft will proceed toward RFC publication with these changes, which are in the current -04 version: http://datatracker.ietf.org/doc/draft-ietf-storm-ipsec-ips-update/ After the last Discuss on this draft is cleared (should happen soon - the Security ADs are kind of busy at the moment with all the attention being paid to pervasive passive monitoring], I will need to go write a couple of RFC Editor notes to make the corresponding updates to the Consolidated iSCSI draft (in my "copious spare time" ;-) ). Those notes will get posted to the list when they're ready. > -- Two IPsec items -- > > Two technical changes were made to the IPsec update draft, and these will also > need to be made to the consolidated iSCSI draft, as they affect the IPsec > security considerations text there: > > (A) OCSP is now allowed for checking certificates in addition to use of CRLs. > > (B) Extended sequence numbers (ESNs) are now required for ESPv2 (IPsec v2 - > RFC 2406) in addition to ESPv3 (IPsec v3 - RFC 4303). > > The first change to allow OCSP, is a straightforward update to the current > state of PKI certificate technology and usage. > > The second change was the original intention for iSCSI use of IPsec (which is > where all of this started) and got dropped when yours truly overlooked the > existence of RFC 4304, which defines IKEv1 support for negotiating ESN usage. > > One of the security ADs pointed out the existence of RFC 4304 and suggested > this change, which makes a lot of sense, IMHO. I believe ESN support to be > widely available in IPsec v2 implementations. > > If anyone cares about either of these, please comment - absence of comment > will be taken as absence of objection. Thanks, --David ---------------------------------------------------- David L. Black, Distinguished Engineer EMC Corporation, 176 South St., Hopkinton, MA 01748 +1 (508) 293-7953 FAX: +1 (508) 293-7786 david.black@emc.com Mobile: +1 (978) 394-7754 ----------------------------------------------------
- [storm] Two IPsec items - conclusion Black, David