[storm] iSCSI consolidated draft: IPsec topics
"Black, David" <david.black@emc.com> Wed, 02 January 2013 01:13 UTC
Return-Path: <david.black@emc.com>
X-Original-To: storm@ietfa.amsl.com
Delivered-To: storm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 142E621E8041 for <storm@ietfa.amsl.com>; Tue, 1 Jan 2013 17:13:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.499
X-Spam-Level:
X-Spam-Status: No, score=-102.499 tagged_above=-999 required=5 tests=[AWL=0.100, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id U+8tJ1LpXUCA for <storm@ietfa.amsl.com>; Tue, 1 Jan 2013 17:13:10 -0800 (PST)
Received: from mexforward.lss.emc.com (hop-nat-141.emc.com [168.159.213.141]) by ietfa.amsl.com (Postfix) with ESMTP id 5AE1121E8030 for <storm@ietf.org>; Tue, 1 Jan 2013 17:13:03 -0800 (PST)
Received: from hop04-l1d11-si02.isus.emc.com (HOP04-L1D11-SI02.isus.emc.com [10.254.111.55]) by mexforward.lss.emc.com (Switch-3.4.3/Switch-3.4.3) with ESMTP id r021D16r024899 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for <storm@ietf.org>; Tue, 1 Jan 2013 20:13:01 -0500
Received: from mailhub.lss.emc.com (mailhubhoprd03.lss.emc.com [10.254.221.145]) by hop04-l1d11-si02.isus.emc.com (RSA Interceptor) for <storm@ietf.org>; Tue, 1 Jan 2013 20:12:46 -0500
Received: from mxhub17.corp.emc.com (mxhub17.corp.emc.com [10.254.93.46]) by mailhub.lss.emc.com (Switch-3.4.3/Switch-3.4.3) with ESMTP id r021CkO2014011 for <storm@ietf.org>; Tue, 1 Jan 2013 20:12:46 -0500
Received: from mx15a.corp.emc.com ([169.254.1.210]) by mxhub17.corp.emc.com ([10.254.93.46]) with mapi; Tue, 1 Jan 2013 20:12:45 -0500
From: "Black, David" <david.black@emc.com>
To: "storm@ietf.org" <storm@ietf.org>
Importance: high
X-Priority: 1
Date: Tue, 01 Jan 2013 20:12:45 -0500
Thread-Topic: iSCSI consolidated draft: IPsec topics
Thread-Index: Ac3ohkVbe490JnOWSJGCGTVjrbWKEg==
Message-ID: <8D3D17ACE214DC429325B2B98F3AE71287DB21EB@MX15A.corp.emc.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-EMM-MHVC: 1
Subject: [storm] iSCSI consolidated draft: IPsec topics
X-BeenThere: storm@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Storage Maintenance WG <storm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/storm>, <mailto:storm-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/storm>
List-Post: <mailto:storm@ietf.org>
List-Help: <mailto:storm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/storm>, <mailto:storm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Jan 2013 01:13:11 -0000
<WG Chair hat OFF> This email is sent as the shepherd for the iSCSI consolidated draft. Three issues have arisen around the iSCSI consolidated draft's IPsec provisions. In rough order from simpler to more complex, they are: a) Need to specify required key lengths b) Scope of update to RFC 3723 (IP Storage Security) c) Encryption Algorithm requirements I don't think the first two are controversial, but the third one may be. -- a) Required key lengths There are a bunch of requirements (MUST or SHOULD) for AES algorithm implementation that don't specify a key length. Proposal: The requirements apply to 128 bit keys. Longer key lengths (192 bits, 256 bits) are MAY requirements and hence don't need to be stated. -- b) Scope of IPsec update to RFC 3723 (IP Storage Security) RFC 3723's IPsec profile was used by a number of protocols beyond iSCSI, including FCIP, iFCP and the RDDP (iWarp) protocols. The effects of the update to that profile aren't obvious. Proposal: List all the RFCs that pick up this update in the consolidated iSCSI draft's "Updates" header and add some text to the Security Considerations section to explain this. -- c) Encryption Algorithm requirements Here's what's currently in the consolidated iSCSI draft: - 3DES in CBC mode MUST be implemented [RFC2451]. - AES in Counter mode SHOULD be implemented [RFC3686]. - Implementations that support IKEv2 [RFC5996] SHOULD also implement AES GCM [RFC4106] Aside from adding the 128 bit key size requirement, there are a couple of other concerns: (1) The MUST for 3DES-CBC has become questionable due to 3DES's 64 bit block size, i.e., the core cipher encrypts or decrypts 64 bits at a time. Things start to go awry cryptographically as one approaches the birthday bound of 32GB (GigaBytes) of data encrypted under the same key. Here are a couple of links: http://www.ietf.org/mail-archive/web/ipsec/current/msg07997.html http://www.ietf.org/mail-archive/web/ipsec/current/msg08031.html How far away to stay from that bound is a judgment call, but 32GB or some fraction thereof is not a lot of data for iSCSI to move. One could deal with this via rekeying, but the result will be rather frequent rekeying if one decides to stay at least an order of magnitude away on a multi-gigabit/sec link. In contrast, AES has a 128 bit blocksize, and so its birthday bound is astronomical (2^69 bytes if I have the math right). AES CBC is the most common mandatory-to-implement mode for interoperability. (2) AES CTR was originally selected for its hardware friendliness (e.g., it pipelines well), even though there was no hardware friendly integrity MAC algorithm to go with it at the time. AES GCM is now the strongly preferred choice, as it provides encryption and a MAC. ... Now comes the fun ... Proposal (w/o RFC citations, all AES requirements are for 128 bit keys): - 3DES in CBC mode MAY be implemented (previously MUST) - AES in CBC mode MUST be implemented (previously implicitly MAY) - AES in Counter mode MAY be implemented (previously SHOULD) - Implementations that support IKEv2 SHOULD also implement AES GCM (new requirement) This would be accompanied by text that explains the birthday bound effect of 3DES's 64 bit blocksize, and suggests that implementations desiring hardware efficiency look to AES GCM rather than AES Counter. The intent is that these requirements are readily met by widely available IPsec implementations. ------------------ Please comment. I'll probably assume that a) key size and b) RFC 3723 IPsec update scope are ok in the absence of objection, but I definitely want to see some discussion of c) encryption algorithm requirements. Thanks, --David ---------------------------------------------------- David L. Black, Distinguished Engineer EMC Corporation, 176 South St., Hopkinton, MA 01748 +1 (508) 293-7953 FAX: +1 (508) 293-7786 david.black@emc.com Mobile: +1 (978) 394-7754 ----------------------------------------------------
- [storm] iSCSI consolidated draft: IPsec topics Black, David
- Re: [storm] iSCSI consolidated draft: IPsec topics Black, David