Re: [storm] iSCSI consolidated draft: IPsec topics
"Black, David" <david.black@emc.com> Sun, 10 March 2013 02:08 UTC
Return-Path: <david.black@emc.com>
X-Original-To: storm@ietfa.amsl.com
Delivered-To: storm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EB61D21F87CE for <storm@ietfa.amsl.com>; Sat, 9 Mar 2013 18:08:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id l58pSYZYvyB8 for <storm@ietfa.amsl.com>; Sat, 9 Mar 2013 18:08:45 -0800 (PST)
Received: from mexforward.lss.emc.com (hop-nat-141.emc.com [168.159.213.141]) by ietfa.amsl.com (Postfix) with ESMTP id 2ADB821F87C3 for <storm@ietf.org>; Sat, 9 Mar 2013 18:08:44 -0800 (PST)
Received: from hop04-l1d11-si01.isus.emc.com (HOP04-L1D11-SI01.isus.emc.com [10.254.111.54]) by mexforward.lss.emc.com (Switch-3.4.3/Switch-3.4.3) with ESMTP id r2A28hHE031265 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for <storm@ietf.org>; Sat, 9 Mar 2013 21:08:43 -0500
Received: from mailhub.lss.emc.com (mailhubhoprd06.lss.emc.com [10.254.222.130]) by hop04-l1d11-si01.isus.emc.com (RSA Interceptor) for <storm@ietf.org>; Sat, 9 Mar 2013 21:08:31 -0500
Received: from mxhub04.corp.emc.com (mxhub04.corp.emc.com [10.254.141.106]) by mailhub.lss.emc.com (Switch-3.4.3/Switch-3.4.3) with ESMTP id r2A28UBW008509 for <storm@ietf.org>; Sat, 9 Mar 2013 21:08:30 -0500
Received: from mx15a.corp.emc.com ([169.254.1.118]) by mxhub04.corp.emc.com ([10.254.141.106]) with mapi; Sat, 9 Mar 2013 21:08:30 -0500
From: "Black, David" <david.black@emc.com>
To: "storm@ietf.org" <storm@ietf.org>
Date: Sat, 09 Mar 2013 21:08:28 -0500
Thread-Topic: iSCSI consolidated draft: IPsec topics
Thread-Index: Ac3ohkVbe490JnOWSJGCGTVjrbWKEg0qQqgQ
Message-ID: <8D3D17ACE214DC429325B2B98F3AE71290DCD884@MX15A.corp.emc.com>
References: <8D3D17ACE214DC429325B2B98F3AE71287DB21EB@MX15A.corp.emc.com>
In-Reply-To: <8D3D17ACE214DC429325B2B98F3AE71287DB21EB@MX15A.corp.emc.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-EMM-MHVC: 1
Subject: Re: [storm] iSCSI consolidated draft: IPsec topics
X-BeenThere: storm@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Storage Maintenance WG <storm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/storm>, <mailto:storm-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/storm>
List-Post: <mailto:storm@ietf.org>
List-Help: <mailto:storm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/storm>, <mailto:storm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 10 Mar 2013 02:08:47 -0000
Having seen no objection to this, I think we have WG rough consensus for all three of these IPsec items: > a) Need to specify required key lengths > b) Scope of update to RFC 3723 (IP Storage Security) > c) Encryption Algorithm requirements However the next steps from here are different for each item: -- a) Required key lengths Mallikarjun should go ahead and add the appropriate text to the iSCSI consolidated draft to say that 128 bit AES keys are REQUIRED, and other key lengths are OPTIONAL. -- b) Scope of update to RFC 3723 (IP Storage Security) We will need to update 3723 and *everything* that references it - iSER turned out to be the forcing function here, as it requires the RFC 3723 IPsec profile to be updated for both iSCSI and the iWARP (rddp) protocols, otherwise the result for iSER over iWARP is bizarre (two different IPsec profiles). In 20/20 hindsight (e.g., I wish I'd thought of this over the holidays at the end of last year), I now think the "right thing" to do here is to write a separate draft that contains the IPsec updates to 3723, and anything else that needs to be changed there. That'll help people who just want to understand the IPsec changes, and it'll cut down the list of RFCs that the consolidated iSCSI RFC updates, as RFC 3723 is cited by 19 RFCs: http://www.arkko.com/tools/allstats/citations-rfc3723.html That can't be done yet, because ... -- c) Encryption Algorithm requirements I need to take these to the ipsecme WG mailing list and meeting this week in Orlando to get them checked by the experts on this. Stay tuned ... Thanks, --David > -----Original Message----- > From: storm-bounces@ietf.org [mailto:storm-bounces@ietf.org] On Behalf Of > Black, David > Sent: Tuesday, January 01, 2013 8:13 PM > To: storm@ietf.org > Subject: [storm] iSCSI consolidated draft: IPsec topics > Importance: High > > <WG Chair hat OFF> > > This email is sent as the shepherd for the iSCSI consolidated draft. > > Three issues have arisen around the iSCSI consolidated draft's > IPsec provisions. In rough order from simpler to more complex, > they are: > > a) Need to specify required key lengths > b) Scope of update to RFC 3723 (IP Storage Security) > c) Encryption Algorithm requirements > > I don't think the first two are controversial, but the third one > may be. > > -- a) Required key lengths > > There are a bunch of requirements (MUST or SHOULD) for AES algorithm > implementation that don't specify a key length. > > Proposal: The requirements apply to 128 bit keys. Longer key lengths > (192 bits, 256 bits) are MAY requirements and hence don't need to be > stated. > > -- b) Scope of IPsec update to RFC 3723 (IP Storage Security) > > RFC 3723's IPsec profile was used by a number of protocols beyond iSCSI, > including FCIP, iFCP and the RDDP (iWarp) protocols. The effects of > the update to that profile aren't obvious. > > Proposal: List all the RFCs that pick up this update in the consolidated > iSCSI draft's "Updates" header and add some text to the Security > Considerations section to explain this. > > -- c) Encryption Algorithm requirements > > Here's what's currently in the consolidated iSCSI draft: > > - 3DES in CBC mode MUST be implemented [RFC2451]. > - AES in Counter mode SHOULD be implemented [RFC3686]. > - Implementations that support IKEv2 [RFC5996] SHOULD also > implement AES GCM [RFC4106] > > Aside from adding the 128 bit key size requirement, there are a > couple of other concerns: > > (1) The MUST for 3DES-CBC has become questionable due to 3DES's > 64 bit block size, i.e., the core cipher encrypts or decrypts 64 bits > at a time. > > Things start to go awry cryptographically as one approaches the > birthday bound of 32GB (GigaBytes) of data encrypted under the > same key. Here are a couple of links: > > http://www.ietf.org/mail-archive/web/ipsec/current/msg07997.html > http://www.ietf.org/mail-archive/web/ipsec/current/msg08031.html > > How far away to stay from that bound is a judgment call, but 32GB > or some fraction thereof is not a lot of data for iSCSI to move. > > One could deal with this via rekeying, but the result will be > rather frequent rekeying if one decides to stay at least an order > of magnitude away on a multi-gigabit/sec link. > > In contrast, AES has a 128 bit blocksize, and so its birthday > bound is astronomical (2^69 bytes if I have the math right). > > AES CBC is the most common mandatory-to-implement mode for > interoperability. > > (2) AES CTR was originally selected for its hardware friendliness > (e.g., it pipelines well), even though there was no hardware > friendly integrity MAC algorithm to go with it at the time. AES GCM > is now the strongly preferred choice, as it provides encryption > and a MAC. > > > ... Now comes the fun ... > > Proposal (w/o RFC citations, all AES requirements are for 128 bit keys): > > - 3DES in CBC mode MAY be implemented (previously MUST) > - AES in CBC mode MUST be implemented (previously implicitly MAY) > - AES in Counter mode MAY be implemented (previously SHOULD) > - Implementations that support IKEv2 SHOULD also > implement AES GCM (new requirement) > > This would be accompanied by text that explains the birthday bound > effect of 3DES's 64 bit blocksize, and suggests that implementations > desiring hardware efficiency look to AES GCM rather than AES Counter. > > The intent is that these requirements are readily met by widely > available IPsec implementations. > > ------------------ > > Please comment. I'll probably assume that a) key size and b) RFC 3723 > IPsec update scope are ok in the absence of objection, but I definitely > want to see some discussion of c) encryption algorithm requirements. > > Thanks, > --David > ---------------------------------------------------- > David L. Black, Distinguished Engineer > EMC Corporation, 176 South St., Hopkinton, MA 01748 > +1 (508) 293-7953 FAX: +1 (508) 293-7786 > david.black@emc.com Mobile: +1 (978) 394-7754 > ---------------------------------------------------- > > _______________________________________________ > storm mailing list > storm@ietf.org > https://www.ietf.org/mailman/listinfo/storm
- [storm] iSCSI consolidated draft: IPsec topics Black, David
- Re: [storm] iSCSI consolidated draft: IPsec topics Black, David