[storm] iSCSI consolidated draft: IPsec topics
"Black, David" <david.black@emc.com> Wed, 02 January 2013 01:13 UTC
Return-Path: <david.black@emc.com>
X-Original-To: storm@ietfa.amsl.com
Delivered-To: storm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 142E621E8041 for <storm@ietfa.amsl.com>; Tue, 1 Jan 2013 17:13:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.499
X-Spam-Level:
X-Spam-Status: No, score=-102.499 tagged_above=-999 required=5 tests=[AWL=0.100, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id U+8tJ1LpXUCA for <storm@ietfa.amsl.com>; Tue, 1 Jan 2013 17:13:10 -0800 (PST)
Received: from mexforward.lss.emc.com (hop-nat-141.emc.com [168.159.213.141]) by ietfa.amsl.com (Postfix) with ESMTP id 5AE1121E8030 for <storm@ietf.org>; Tue, 1 Jan 2013 17:13:03 -0800 (PST)
Received: from hop04-l1d11-si02.isus.emc.com (HOP04-L1D11-SI02.isus.emc.com [10.254.111.55]) by mexforward.lss.emc.com (Switch-3.4.3/Switch-3.4.3) with ESMTP id r021D16r024899 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for <storm@ietf.org>; Tue, 1 Jan 2013 20:13:01 -0500
Received: from mailhub.lss.emc.com (mailhubhoprd03.lss.emc.com [10.254.221.145]) by hop04-l1d11-si02.isus.emc.com (RSA Interceptor) for <storm@ietf.org>; Tue, 1 Jan 2013 20:12:46 -0500
Received: from mxhub17.corp.emc.com (mxhub17.corp.emc.com [10.254.93.46]) by mailhub.lss.emc.com (Switch-3.4.3/Switch-3.4.3) with ESMTP id r021CkO2014011 for <storm@ietf.org>; Tue, 1 Jan 2013 20:12:46 -0500
Received: from mx15a.corp.emc.com ([169.254.1.210]) by mxhub17.corp.emc.com ([10.254.93.46]) with mapi; Tue, 1 Jan 2013 20:12:45 -0500
From: "Black, David" <david.black@emc.com>
To: "storm@ietf.org" <storm@ietf.org>
Importance: high
X-Priority: 1
Date: Tue, 01 Jan 2013 20:12:45 -0500
Thread-Topic: iSCSI consolidated draft: IPsec topics
Thread-Index: Ac3ohkVbe490JnOWSJGCGTVjrbWKEg==
Message-ID: <8D3D17ACE214DC429325B2B98F3AE71287DB21EB@MX15A.corp.emc.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-EMM-MHVC: 1
Subject: [storm] iSCSI consolidated draft: IPsec topics
X-BeenThere: storm@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Storage Maintenance WG <storm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/storm>, <mailto:storm-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/storm>
List-Post: <mailto:storm@ietf.org>
List-Help: <mailto:storm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/storm>, <mailto:storm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Jan 2013 01:13:11 -0000
<WG Chair hat OFF>
This email is sent as the shepherd for the iSCSI consolidated draft.
Three issues have arisen around the iSCSI consolidated draft's
IPsec provisions. In rough order from simpler to more complex,
they are:
a) Need to specify required key lengths
b) Scope of update to RFC 3723 (IP Storage Security)
c) Encryption Algorithm requirements
I don't think the first two are controversial, but the third one
may be.
-- a) Required key lengths
There are a bunch of requirements (MUST or SHOULD) for AES algorithm
implementation that don't specify a key length.
Proposal: The requirements apply to 128 bit keys. Longer key lengths
(192 bits, 256 bits) are MAY requirements and hence don't need to be
stated.
-- b) Scope of IPsec update to RFC 3723 (IP Storage Security)
RFC 3723's IPsec profile was used by a number of protocols beyond iSCSI,
including FCIP, iFCP and the RDDP (iWarp) protocols. The effects of
the update to that profile aren't obvious.
Proposal: List all the RFCs that pick up this update in the consolidated
iSCSI draft's "Updates" header and add some text to the Security
Considerations section to explain this.
-- c) Encryption Algorithm requirements
Here's what's currently in the consolidated iSCSI draft:
- 3DES in CBC mode MUST be implemented [RFC2451].
- AES in Counter mode SHOULD be implemented [RFC3686].
- Implementations that support IKEv2 [RFC5996] SHOULD also
implement AES GCM [RFC4106]
Aside from adding the 128 bit key size requirement, there are a
couple of other concerns:
(1) The MUST for 3DES-CBC has become questionable due to 3DES's
64 bit block size, i.e., the core cipher encrypts or decrypts 64 bits
at a time.
Things start to go awry cryptographically as one approaches the
birthday bound of 32GB (GigaBytes) of data encrypted under the
same key. Here are a couple of links:
http://www.ietf.org/mail-archive/web/ipsec/current/msg07997.html
http://www.ietf.org/mail-archive/web/ipsec/current/msg08031.html
How far away to stay from that bound is a judgment call, but 32GB
or some fraction thereof is not a lot of data for iSCSI to move.
One could deal with this via rekeying, but the result will be
rather frequent rekeying if one decides to stay at least an order
of magnitude away on a multi-gigabit/sec link.
In contrast, AES has a 128 bit blocksize, and so its birthday
bound is astronomical (2^69 bytes if I have the math right).
AES CBC is the most common mandatory-to-implement mode for
interoperability.
(2) AES CTR was originally selected for its hardware friendliness
(e.g., it pipelines well), even though there was no hardware
friendly integrity MAC algorithm to go with it at the time. AES GCM
is now the strongly preferred choice, as it provides encryption
and a MAC.
... Now comes the fun ...
Proposal (w/o RFC citations, all AES requirements are for 128 bit keys):
- 3DES in CBC mode MAY be implemented (previously MUST)
- AES in CBC mode MUST be implemented (previously implicitly MAY)
- AES in Counter mode MAY be implemented (previously SHOULD)
- Implementations that support IKEv2 SHOULD also
implement AES GCM (new requirement)
This would be accompanied by text that explains the birthday bound
effect of 3DES's 64 bit blocksize, and suggests that implementations
desiring hardware efficiency look to AES GCM rather than AES Counter.
The intent is that these requirements are readily met by widely
available IPsec implementations.
------------------
Please comment. I'll probably assume that a) key size and b) RFC 3723
IPsec update scope are ok in the absence of objection, but I definitely
want to see some discussion of c) encryption algorithm requirements.
Thanks,
--David
----------------------------------------------------
David L. Black, Distinguished Engineer
EMC Corporation, 176 South St., Hopkinton, MA 01748
+1 (508) 293-7953 FAX: +1 (508) 293-7786
david.black@emc.com Mobile: +1 (978) 394-7754
----------------------------------------------------
- [storm] iSCSI consolidated draft: IPsec topics Black, David
- Re: [storm] iSCSI consolidated draft: IPsec topics Black, David