Re: [storm] Comments on draft-ietf-storm-ipsec-ips-update

Tom Talpey <ttalpey@microsoft.com> Thu, 27 June 2013 20:37 UTC

Return-Path: <ttalpey@microsoft.com>
X-Original-To: storm@ietfa.amsl.com
Delivered-To: storm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4577721F9F9E for <storm@ietfa.amsl.com>; Thu, 27 Jun 2013 13:37:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.599
X-Spam-Level:
X-Spam-Status: No, score=-103.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id epFiTNwPV2Fb for <storm@ietfa.amsl.com>; Thu, 27 Jun 2013 13:37:04 -0700 (PDT)
Received: from na01-bl2-obe.outbound.protection.outlook.com (mail-bl2lp0211.outbound.protection.outlook.com [207.46.163.211]) by ietfa.amsl.com (Postfix) with ESMTP id 88D2B21F9F9F for <storm@ietf.org>; Thu, 27 Jun 2013 13:37:00 -0700 (PDT)
Received: from BY2FFO11FD023.protection.gbl (10.1.15.204) by BY2FFO11HUB002.protection.gbl (10.1.14.144) with Microsoft SMTP Server (TLS) id 15.0.717.3; Thu, 27 Jun 2013 20:36:59 +0000
Received: from TK5EX14HUBC105.redmond.corp.microsoft.com (131.107.125.37) by BY2FFO11FD023.mail.protection.outlook.com (10.1.15.212) with Microsoft SMTP Server (TLS) id 15.0.707.0 via Frontend Transport; Thu, 27 Jun 2013 20:36:58 +0000
Received: from TK5EX14MBXC284.redmond.corp.microsoft.com ([169.254.1.79]) by TK5EX14HUBC105.redmond.corp.microsoft.com ([157.54.80.48]) with mapi id 14.03.0136.001; Thu, 27 Jun 2013 20:36:49 +0000
From: Tom Talpey <ttalpey@microsoft.com>
To: "Black, David" <david.black@emc.com>, "storm@ietf.org" <storm@ietf.org>, "Paul_Koning@Dell.com" <Paul_Koning@Dell.com>
Thread-Topic: Comments on draft-ietf-storm-ipsec-ips-update
Thread-Index: Ac5yqwuewpr4eeBIT2quJXY1BPmnxAASCVKwABICU1A=
Date: Thu, 27 Jun 2013 20:36:49 +0000
Message-ID: <614F550557B82C44AC27C492ADA391AA07750ACC@TK5EX14MBXC284.redmond.corp.microsoft.com>
References: <614F550557B82C44AC27C492ADA391AA0774F9A0@TK5EX14MBXC284.redmond.corp.microsoft.com> <8D3D17ACE214DC429325B2B98F3AE71298332C1E@MX15A.corp.emc.com>
In-Reply-To: <8D3D17ACE214DC429325B2B98F3AE71298332C1E@MX15A.corp.emc.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [157.54.51.34]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Forefront-Antispam-Report: CIP:131.107.125.37; CTRY:US; IPV:CAL; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(51704005)(51914003)(377454003)(189002)(199002)(13464003)(164054003)(51444003)(69226001)(59766001)(55846006)(54316002)(81542001)(81342001)(79102001)(74876001)(74366001)(74662001)(31966008)(56816003)(50466002)(77096001)(54356001)(77982001)(56776001)(76482001)(74502001)(76796001)(46102001)(76786001)(44976004)(51856001)(47446002)(74706001)(53806001)(47736001)(49866001)(46406003)(47976001)(50986001)(23726002)(65816001)(63696002)(20776003)(47776003)(6806003)(33656001)(4396001)(16406001)(66066001)(80022001); DIR:OUT; SFP:; SCL:1; SRVR:BY2FFO11HUB002; H:TK5EX14HUBC105.redmond.corp.microsoft.com; CLIP:131.107.125.37; RD:InfoDomainNonexistent; MX:1; A:1; LANG:en;
X-OriginatorOrg: microsoft.onmicrosoft.com
X-O365ENT-EOP-Header: Message processed by - O365_ENT: Allow from ranges (Engineering ONLY)
X-Forefront-PRVS: 08902E536D
Subject: Re: [storm] Comments on draft-ietf-storm-ipsec-ips-update
X-BeenThere: storm@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Storage Maintenance WG <storm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/storm>, <mailto:storm-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/storm>
List-Post: <mailto:storm@ietf.org>
List-Help: <mailto:storm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/storm>, <mailto:storm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Jun 2013 20:37:10 -0000

> ...  I could leave
> 3DES as mandatory to implement for backwards compatibility if that helps,
> but AES CBC really has to be mandatory to implement due to the problems
> w/3DES at high data rates.  If both AES CBC and 3DES are supported, AES CBC
> SHOULD be used in preference to 3DES.

I'm ok with this, as long as these requirements are clearly stated. Any 3DES support seems to me an implementation choice - a target could validly refuse to do so based on data privacy requirements. So I would agree it is not a MUST.

> that developed them.  The draft title might be better restated to reference
> RFC 3723, and I'll see about changing the text from use of "IP Storage
> protocols" to talking about protocols that use the RFC 3723 IPsec
> requirements.  The first paragraph of the introduction will need to be
> expanded to explain this.

Sounds good, I'll look for the new proposed text.

> > 3) In section 1.2 Updated RFCs, the word "update" appears but it's not
> > clear what is updated in the many affected documents. Are there any
> > required changes, outside of extending their RFC3723 references?
> 
> Section 1.2 says that it "updates the IPsec requirements for each protocol
> specification that uses RFC 3723"  I think that sufficiently defines the scope.

Well, at least I was confused. Consider the reader of one of the original documents, who might follow the RFC3723 reference and be redirected to this new document. How would they read "updates"? It could mean "replaces" or "adds", and the difference will be important to an implementation. The text should strive for clarity.

> Actually, that is the intention, particularly the 3DES to AES CBC change in
> mandatory encryption algorithm due to birthday problems with 3DES at high
> data rates.  Older implementations may still claim compliance to RFC 3723
> prior to this update, but the intent of this update is to move away from 3DES
> in all cases.

Absolutely. As long as it is clear that this document deprecates 3DES.

> The birthday bound calculation for AES is in an email message and hence I'll
> need to reproduce that in an added appendix.

I guess that would help. I'd be ok with a milder statement which leaves birthday bounds to other documents. Surely, storage is not the only upper layer which seeks to protect its messages at high data rates, so others may have discussed?

> The requirement is basically correct as stated, AES in CBC mode with 128-bit
> keys MUST be supported.  Other key sizes for AES in CBC mode are
> OPTIONAL.
> I can rephrase in that form if it helps.

I think that would clarify the intent, yes. If you choose OPTIONAL, note that there are other places in the document which refer to key size. And, instead of "other", would "longer" be better guidance?

> It's not new - the requirement exists in RFC 3723, as the last sentence in
> section 2.3.1 on Transforms:
> 
>   ESP with NULL encryption MUST be supported for authentication.
> 
> That is the same requirement expressed in a different fashion.

Ah, ok. The text immediately prior to this paragraph reads "In addition", which makes it appear to be a new requirement as are the others. Stating that it is an existing requirement of RFC3723 would suffice.

Tom.



> -----Original Message-----
> From: Black, David [mailto:david.black@emc.com]
> Sent: Thursday, June 27, 2013 1:41 AM
> To: Tom Talpey; storm@ietf.org; Paul_Koning@Dell.com
> Subject: RE: Comments on draft-ietf-storm-ipsec-ips-update
> 
> Tom,
> 
> Thanks for the thorough review.
> 
> Most of this is editorial - the one item that is a technical issue is that the
> encryption algorithm requirement changes may not be backwards
> compatible, as 3DES is no longer appropriate for this use; AES CBC is the new
> mandatory to implement encryption algorithm in this draft.  I could leave
> 3DES as mandatory to implement for backwards compatibility if that helps,
> but AES CBC really has to be mandatory to implement due to the problems
> w/3DES at high data rates.  If both AES CBC and 3DES are supported, AES CBC
> SHOULD be used in preference to 3DES.
> 
> > 1) In section 1 Introduction, the term "IP Storage protocols" is not defined.
> > For example, it's not clear whether NFS or SMB are intended to fall
> > under this scope. And the document later refers to the various iWARP
> > specifications, which are not limited to transporting storage.
> > Assuming that's not the intent, I suggest defining the term, or
> > restating it more generically. Technically speaking, this comment applies to
> the title of the document as well.
> 
> I took another look at RFC 3723 - it's entitled "Securing Block Storage
> Protocols over IP" although, as you point out, its IPsec requirements have
> been applied to iWARP.  I've referred to these requirements as the IP
> Storage IPsec requirements, in part due to the name of the working group
> that developed them.  The draft title might be better restated to reference
> RFC 3723, and I'll see about changing the text from use of "IP Storage
> protocols" to talking about protocols that use the RFC 3723 IPsec
> requirements.  The first paragraph of the introduction will need to be
> expanded to explain this.
> 
> > 2) In section 1 Introduction, the text in the following sentence is vague:
> >
> >    ...  IP storage protocols can
> >    be expected to operate at high data rates (multiple Gigabits/second);
> >    the requirements in this document are strongly influenced by that
> >    expectation, and hence may not be appropriate for use of IPsec with
> >    other protocols that do not operate at high data rates.
> >
> > It's not clear what requirements may not be appropriate, and why.
> > Indeed, later discussion makes specific requirements for >1Gb, and is
> > silent on lower speed. If the requirements are not applicable in some
> > cases, the cases should be named.
> >
> > Perhaps simply dropping the entire parenthetical statement "...and
> > hence may not...high data rates".
> 
> Sure.
> 
> > 3) In section 1.2 Updated RFCs, the word "update" appears but it's not
> > clear what is updated in the many affected documents. Are there any
> > required changes, outside of extending their RFC3723 references?
> 
> Section 1.2 says that it "updates the IPsec requirements for each protocol
> specification that uses RFC 3723"  I think that sufficiently defines the scope.
> 
> > And presumably, it is
> > not the intention to retroactively make these requirements, therefore
> > any existing RFC3723-compliant security approach remains intact?
> 
> Actually, that is the intention, particularly the 3DES to AES CBC change in
> mandatory encryption algorithm due to birthday problems with 3DES at high
> data rates.  Older implementations may still claim compliance to RFC 3723
> prior to this update, but the intent of this update is to move away from 3DES
> in all cases.
> 
> > 4) [editorial] In section 2.2 the word "astronomical" is unnecessary
> > and should be deleted
> 
> Ok.
> 
> > Is there a reference for the 2^69 birthday bound of AES blocks? Point
> > the discussion there.
> 
> The birthday bound calculation for AES is in an email message and hence I'll
> need to reproduce that in an added appendix.
> 
> > The word "may" in the relevant requirement is not in RFC2119 form:
> >
> >    o  Implementations that support IKEv2 SHOULD also implement AES GCM
> >       with 128-bit keys; other key sizes may be supported
> 
> Ok.
> 
> > 5) Also in section 2.2, the following requirement is unclear whether
> > AES in CBC mode MUST be supported, or whether any use of AES in CBC
> > mode MUST be implemented with a specific minimum key size. It seems
> > the statement is "AES in CBC mode SHOULD be supported, with keys that
> > MUST be at least 128 bits in length." Correct?
> >
> >    o  AES in CBC mode MUST be implemented with 128-bit keys; other key
> >       sizes MAY be supported, and
> 
> The requirement is basically correct as stated, AES in CBC mode with 128-bit
> keys MUST be supported.  Other key sizes for AES in CBC mode are
> OPTIONAL.
> I can rephrase in that form if it helps.
> 
> > 6) Finally, in section 2.2 there is a new MUST requirement. This would
> > appear to introduce an incompatibility with RFC 3723. Is it a SHOULD?
> 
> It's not new - the requirement exists in RFC 3723, as the last sentence in
> section 2.3.1 on Transforms:
> 
>   ESP with NULL encryption MUST be supported for authentication.
> 
> That is the same requirement expressed in a different fashion.
> 
> Thanks,
> --David
> 
> 
> > -----Original Message-----
> > From: Tom Talpey [mailto:ttalpey@microsoft.com]
> > Sent: Wednesday, June 26, 2013 5:11 PM
> > To: storm@ietf.org; Black, David; Paul_Koning@Dell.com
> > Subject: Comments on draft-ietf-storm-ipsec-ips-update
> >
> > I have the following comments from a review of the latest draft.
> >
> >
> >
> > 1) In section 1 Introduction, the term "IP Storage protocols" is not defined.
> > For example, it's not clear whether NFS or SMB are intended to fall
> > under this scope. And the document later refers to the various iWARP
> > specifications, which are not limited to transporting storage.
> > Assuming that's not the intent, I suggest defining the term, or
> > restating it more generically. Technically speaking, this comment applies to
> the title of the document as well.
> >
> >
> >
> > 2) In section 1 Introduction, the text in the following sentence is vague:
> >
> >    ...  IP storage protocols can
> >    be expected to operate at high data rates (multiple Gigabits/second);
> >    the requirements in this document are strongly influenced by that
> >    expectation, and hence may not be appropriate for use of IPsec with
> >    other protocols that do not operate at high data rates.
> >
> > It's not clear what requirements may not be appropriate, and why.
> > Indeed, later discussion makes specific requirements for >1Gb, and is
> > silent on lower speed. If the requirements are not applicable in some
> > cases, the cases should be named.
> >
> > Perhaps simply dropping the entire parenthetical statement "...and
> > hence may not...high data rates".
> >
> >
> >
> > 3) In section 1.2 Updated RFCs, the word "update" appears but it's not
> > clear what is updated in the many affected documents. Are there any
> > required changes, outside of extending their RFC3723 references? And
> > presumably, it is not the intention to retroactively make these
> > requirements, therefore any existing RFC3723-compliant security
> > approach remains intact?  Perhaps the statement would be more
> > accurately "provides updated reference guidance for IPsec security
> requirements beyond those of RFC3723."
> >
> >    The requirements for IPsec usage with IP storage in RFC 3723 are used
> >    by a number of protocols.  For that reason, beyond updating RFC 3723,
> >    this document also updates the IPsec requirements for each protocol
> >    specification that uses RFC 3723, i.e., the following RFCs in
> >    addition to RFC 3723:
> >
> >
> >
> > 4) [editorial] In section 2.2 the word "astronomical" is unnecessary
> > and should be deleted. Is there a reference for the 2^69 birthday
> > bound of AES blocks? Point the discussion there.
> >
> >    3GB on a multi-gigabit/sec link.  In contrast, AES has a 128 bit
> >    block size, which results in an astronomical birthdaya bound (2^69
> >    bytes).  AES CBC is the primary mandatory-to-implement
> > cryptographic
> >
> > The word "may" in the relevant requirement is not in RFC2119 form:
> >
> >    o  Implementations that support IKEv2 SHOULD also implement AES GCM
> >       with 128-bit keys; other key sizes may be supported.
> >
> >
> >
> > 5) Also in section 2.2, the following requirement is unclear whether
> > AES in CBC mode MUST be supported, or whether any use of AES in CBC
> > mode MUST be implemented with a specific minimum key size. It seems
> > the statement is "AES in CBC mode SHOULD be supported, with keys that
> > MUST be at least 128 bits in length." Correct?
> >
> >    o  AES in CBC mode MUST be implemented with 128-bit keys; other key
> >       sizes MAY be supported, and
> >
> >
> >
> > 6) Finally, in section 2.2 there is a new MUST requirement. This would
> > appear to introduce an incompatibility with RFC 3723. Is it a SHOULD?
> >
> >    In addition, NULL encryption [RFC2410] MUST be implemented to enable
> >    use of SAs that provide data origin authentication and data
> >    integrity, but not confidentiality.  Other transforms MAY be
> >    implemented in addition to those listed above.
> >
> >