[storm] Comments on draft-ietf-storm-ipsec-ips-update

Tom Talpey <ttalpey@microsoft.com> Wed, 26 June 2013 21:11 UTC

Return-Path: <ttalpey@microsoft.com>
X-Original-To: storm@ietfa.amsl.com
Delivered-To: storm@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 1A6FF21F9B16 for <storm@ietfa.amsl.com>; Wed, 26 Jun 2013 14:11:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id rTVwoxF+vR+z for <storm@ietfa.amsl.com>; Wed, 26 Jun 2013 14:11:41 -0700 (PDT)
Received: from na01-by2-obe.outbound.protection.outlook.com (mail-by2lp0236.outbound.protection.outlook.com []) by ietfa.amsl.com (Postfix) with ESMTP id CA86921F9978 for <storm@ietf.org>; Wed, 26 Jun 2013 14:11:35 -0700 (PDT)
Received: from BN1AFFO11FD016.protection.gbl ( by BN1BFFO11HUB024.protection.gbl ( with Microsoft SMTP Server (TLS) id 15.0.707.0; Wed, 26 Jun 2013 21:11:32 +0000
Received: from TK5EX14HUBC103.redmond.corp.microsoft.com ( by BN1AFFO11FD016.mail.protection.outlook.com ( with Microsoft SMTP Server (TLS) id 15.0.707.0 via Frontend Transport; Wed, 26 Jun 2013 21:11:32 +0000
Received: from TK5EX14MBXC284.redmond.corp.microsoft.com ([]) by TK5EX14HUBC103.redmond.corp.microsoft.com ([]) with mapi id 14.03.0136.001; Wed, 26 Jun 2013 21:11:29 +0000
From: Tom Talpey <ttalpey@microsoft.com>
To: "storm@ietf.org" <storm@ietf.org>, "david.black@emc.com" <david.black@emc.com>, "Paul_Koning@Dell.com" <Paul_Koning@Dell.com>
Thread-Topic: Comments on draft-ietf-storm-ipsec-ips-update
Thread-Index: Ac5yqwuewpr4eeBIT2quJXY1BPmnxA==
Date: Wed, 26 Jun 2013 21:11:29 +0000
Message-ID: <614F550557B82C44AC27C492ADA391AA0774F9A0@TK5EX14MBXC284.redmond.corp.microsoft.com>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Forefront-Antispam-Report: CIP:; CTRY:US; IPV:CAL; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(199002)(189002)(47776003)(20776003)(81542001)(47446002)(53806001)(76796001)(50466002)(59766001)(46102001)(31966008)(79102001)(77096001)(76482001)(56776001)(16406001)(54316002)(74366001)(76786001)(51856001)(33656001)(46406003)(54356001)(77982001)(56816003)(6806003)(81342001)(47736001)(63696002)(23726002)(65816001)(47976001)(74662001)(69226001)(74502001)(76176001)(50986001)(49866001)(4396001)(74706001)(66066001)(74876001)(55846006)(80022001); DIR:OUT; SFP:; SCL:1; SRVR:BN1BFFO11HUB024; H:TK5EX14HUBC103.redmond.corp.microsoft.com; CLIP:; RD:InfoDomainNonexistent; A:1; MX:1; LANG:en;
X-OriginatorOrg: microsoft.onmicrosoft.com
X-O365ENT-EOP-Header: Message processed by - O365_ENT: Allow from ranges (Engineering ONLY)
X-Forefront-PRVS: 08897B549D
Subject: [storm] Comments on draft-ietf-storm-ipsec-ips-update
X-BeenThere: storm@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Storage Maintenance WG <storm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/storm>, <mailto:storm-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/storm>
List-Post: <mailto:storm@ietf.org>
List-Help: <mailto:storm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/storm>, <mailto:storm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Jun 2013 21:11:48 -0000

I have the following comments from a review of the latest draft.

1) In section 1 Introduction, the term "IP Storage protocols" is not defined. For example, it's not clear whether NFS or SMB are intended to fall under this scope. And the document later refers to the various iWARP specifications, which are not limited to transporting storage. Assuming that's not the intent, I suggest defining the term, or restating it more generically. Technically speaking, this comment applies to the title of the document as well.

2) In section 1 Introduction, the text in the following sentence is vague:

   ...  IP storage protocols can
   be expected to operate at high data rates (multiple Gigabits/second);
   the requirements in this document are strongly influenced by that
   expectation, and hence may not be appropriate for use of IPsec with
   other protocols that do not operate at high data rates.

It's not clear what requirements may not be appropriate, and why. Indeed, later discussion makes specific requirements for >1Gb, and is silent on lower speed. If the requirements are not applicable in some cases, the cases should be named.

Perhaps simply dropping the entire parenthetical statement "...and hence may not...high data rates".

3) In section 1.2 Updated RFCs, the word "update" appears but it's not clear what is updated in the many affected documents. Are there any required changes, outside of extending their RFC3723 references? And presumably, it is not the intention to retroactively make these requirements, therefore any existing RFC3723-compliant security approach remains intact?  Perhaps the statement would be more accurately "provides updated reference guidance for IPsec security requirements beyond those of RFC3723."

   The requirements for IPsec usage with IP storage in RFC 3723 are used
   by a number of protocols.  For that reason, beyond updating RFC 3723,
   this document also updates the IPsec requirements for each protocol
   specification that uses RFC 3723, i.e., the following RFCs in
   addition to RFC 3723:

4) [editorial] In section 2.2 the word "astronomical" is unnecessary and should be deleted. Is there a reference for the 2^69 birthday bound of AES blocks? Point the discussion there.

   3GB on a multi-gigabit/sec link.  In contrast, AES has a 128 bit
   block size, which results in an astronomical birthdaya bound (2^69
   bytes).  AES CBC is the primary mandatory-to-implement cryptographic

The word "may" in the relevant requirement is not in RFC2119 form:

   o  Implementations that support IKEv2 SHOULD also implement AES GCM
      with 128-bit keys; other key sizes may be supported.

5) Also in section 2.2, the following requirement is unclear whether AES in CBC mode MUST be supported, or whether any use of AES in CBC mode MUST be implemented with a specific minimum key size. It seems the statement is "AES in CBC mode SHOULD be supported, with keys that MUST be at least 128 bits in length." Correct?

   o  AES in CBC mode MUST be implemented with 128-bit keys; other key
      sizes MAY be supported, and

6) Finally, in section 2.2 there is a new MUST requirement. This would appear to introduce an incompatibility with RFC 3723. Is it a SHOULD?

   In addition, NULL encryption [RFC2410] MUST be implemented to enable
   use of SAs that provide data origin authentication and data
   integrity, but not confidentiality.  Other transforms MAY be
   implemented in addition to those listed above.