[storm] New IPsec security text for iSCSI

<david.black@emc.com> Wed, 19 October 2011 22:04 UTC

Return-Path: <david.black@emc.com>
X-Original-To: storm@ietfa.amsl.com
Delivered-To: storm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ECEE611E80AC for <storm@ietfa.amsl.com>; Wed, 19 Oct 2011 15:04:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -105.779
X-Spam-Level:
X-Spam-Status: No, score=-105.779 tagged_above=-999 required=5 tests=[AWL=0.820, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MwaCfBnIL5S3 for <storm@ietfa.amsl.com>; Wed, 19 Oct 2011 15:04:42 -0700 (PDT)
Received: from mexforward.lss.emc.com (mexforward.lss.emc.com [128.222.32.20]) by ietfa.amsl.com (Postfix) with ESMTP id 8C97D11E808A for <storm@ietf.org>; Wed, 19 Oct 2011 15:04:42 -0700 (PDT)
Received: from hop04-l1d11-si02.isus.emc.com (HOP04-L1D11-SI02.isus.emc.com [10.254.111.55]) by mexforward.lss.emc.com (Switch-3.4.3/Switch-3.4.3) with ESMTP id p9JM4c8j020949 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 19 Oct 2011 18:04:38 -0400
Received: from mailhub.lss.emc.com (mailhub.lss.emc.com [10.254.222.130]) by hop04-l1d11-si02.isus.emc.com (RSA Interceptor); Wed, 19 Oct 2011 18:04:23 -0400
Received: from mxhub14.corp.emc.com (mxhub14.corp.emc.com [128.221.56.103]) by mailhub.lss.emc.com (Switch-3.4.3/Switch-3.4.3) with ESMTP id p9JM4NK1030608; Wed, 19 Oct 2011 18:04:23 -0400
Received: from mx14a.corp.emc.com ([169.254.1.78]) by mxhub14.corp.emc.com ([128.221.56.103]) with mapi; Wed, 19 Oct 2011 18:04:23 -0400
From: <david.black@emc.com>
To: <cbm@chadalapaka.com>, <storm@ietf.org>
Date: Wed, 19 Oct 2011 18:04:20 -0400
Thread-Topic: New IPsec security text for iSCSI
Thread-Index: AcyHe94FZEUv7+U5SFqYK2vwz++PxAHLDkpA
Message-ID: <7C4DFCE962635144B8FAE8CA11D0BF1E058D073AB1@MX14A.corp.emc.com>
References: <SNT131-ds2B6E0369C0591DF047263A0FD0@phx.gbl>
In-Reply-To: <SNT131-ds2B6E0369C0591DF047263A0FD0@phx.gbl>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: multipart/mixed; boundary="_002_7C4DFCE962635144B8FAE8CA11D0BF1E058D073AB1MX14Acorpemcc_"
MIME-Version: 1.0
X-EMM-MHVC: 1
Subject: [storm] New IPsec security text for iSCSI
X-BeenThere: storm@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Storage Maintenance WG <storm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/storm>, <mailto:storm-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/storm>
List-Post: <mailto:storm@ietf.org>
List-Help: <mailto:storm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/storm>, <mailto:storm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Oct 2011 22:04:44 -0000

The attached text file contains the new security text for the iSCSI consolidated
draft, with differences marked against the -03 version of that draft.  The primary
changes are to rewrite the IPsec requirements as previously announced:

	- MUST implement IPsec, 2400-series RFCs (IPsec v2, IKEv1).
	- SHOULD implement IPsec, 4300-series RFCs (IPsec v3, IKEv2).

In addition, I have made the following three IPsec requirements changes that seemed
appropriate - an important purpose of this message is to solicit comments on them
(including any objections):

	1) If IKEv2 is supported, then AES GCM SHOULD be implemented.  AES GCM is
		(IMHO) a better choice than the combination of AES CBC MAC with XCBC
		and AES CTR, but I did not remove the SHOULD recommendations for
		the latter two (FWIW, both of these SHOULD be implemented for IKEv2,
		see RFC 4307).
	2) For implementations expected to operate at 1Gbps or greater: If ESPv3
		(part of IPsec v3) is implemented, extended (64-bit) sequence numbers
		MUST be implemented and SHOULD be used (RFC 3720 indicated that this
		requirement was coming, so here it is ...).
	3) DES MUST NOT be used (RFC 3720 specified that DES SHOULD NOT be used).
		The reason for this change should be obvious ;-).

I also added a paragraph to indicate that determination of which versions of IPsec
are supported by a target is out of scope, but if both initiator and target support
both IPsec v2 and v3, then use of v3 is recommended [lower case, this is deliberate].

Note that RFC 3723 needs to be added to the list of RFCs that are updated by the
iSCSI consolidated draft.  There will be a number of references that will need to
be added - I didn't put those into the attached text file.

Thanks,
--David
----------------------------------------------------
David L. Black, Distinguished Engineer
EMC Corporation, 176 South St., Hopkinton, MA  01748
+1 (508) 293-7953             FAX: +1 (508) 293-7786
david.black@emc.com        Mobile: +1 (978) 394-7754
----------------------------------------------------