RE: iSCSI Security mechanisms

[Black_David@emc.com]

Bernard,

I think this is an instance of brilliant minds
thinking alike (or at least along parallel tracks)
With the exception of your final paragraph, your
comments have reproduced much of the rationale from
the interim meeting for wanting to use SRP for ESP
keying.  I apologize for the lack of detail
in the minutes that lead you to have to reproduce
this - it's hard to take good minutes and
actively participate in the discussion at
the same time.  I guess this is a backhanded
confirmation that using SRP to key ESP is digging in
a useful place :-).  iSCSI already has sufficient
negotiation support to handle selection of
prime/modulus, etc., provided that one is careful
about how it's used (the negotiation is not
authenticated/protected in the fashion that
IKE's is).

There are multiple concerns about IKE.  In addition
to code size, there's a concern that the iSCSI
identities that need to be authenticated (Node
Names) are both foreign to IKE and have a greater
span (i.e., IKE is not end-to-end wrt iSCSI
because the identities of multiple iSCSI nodes
that share a single <IP address, TCP port> pair
can't be distinguished below the iSCSI layer).
There's also a need for SRP by itself to be usable
for inband authentication when/where ESP is not
used (my mechanism summary email was about what
MUST/SHOULD/MAY be implemented -- what MUST/SHOULD/MAY
be used is a separate, but related, issue) - IKE
is not a good fit for this sort of authentication.

iSCSI does have to specify the ESP authentication/integrity
transform - as things currently stand, a SHA-1 HMAC
(RFC 2404 specifies HMAC-SHA-1-96) would be a likely
choice, but an alternate could be an AES-related MAC if
it's specification will be available in a suitable timeframe.

I'll correct my usage of "manual" vs. "pre-shared" keys
in the future - thanks for the clarification.

Thanks,
--David

> -----Original Message-----
> From:	Bernard Aboba [SMTP:aboba@internaut.com]
> Sent:	Thursday, May 31, 2001 8:13 PM
> To:	Black_David@emc.com
> Cc:	ips@ece.cmu.edu
> Subject:	Re: iSCSI Security mechanisms
> 
> > This leaves open the issue of where the key(s) for
> > ESP come from.  IKE is OPTIONAL, and use of SRP to
> > supply keys for ESP is NOT REQUIRED (not even
> > specified - I need to find the time to work on
> > writing this up).  This leaves pre-shared keys as
> > the minimum mechanism, and hence I believe that
> > a suitably secured administrative interface to
> > supply pre-shared keys to ESP will have to be
> > REQUIRED for interoperability even if a dynamic
> > keying mechanism like IKE is implemented.
> > 
> Let me make sure I understand this:
> 
> a. You use SRP (which derives a key) only for authentication, but then
> throw the derived keying material away. 
> 
> b. You then use IPSEC manual keying, along with an unspecified
> transform, and key distribution mechanism. 
> 
> Note that what is described above is not really pre-shared secrets,
> because those are used to authenticate DH in order to derive keying
> material. Since you're not using derived keying material, we're really
> talking about manual keying. 
> 
> I would suggest that the above manages to combine the computational
> demands of IKE (and then some, since SRP is slower than ordinary DH)
> the administrative headaches of manual keying and the interoperability
> problems of specifying nothing. 
> 
> Ancient proverb: "The first step in removing yourself from a deep hole is
> to stop digging." 
> 
> If you're going to do SRP for authentication, you might as well add in key
> derivation, and negotiation of things like ciphersuites, prime
> modulus/generator groups, etc. so you can use it for IPSEC keying. 
> A rather small spec could accomplish this IF we decide it is necessary.
> 
> If don't want to use the SRP keying material, you might as well use a
> slimmed down version of IKE (say, aggressive mode only) to address the
> code size concern.
>