SORT BY:

LIST ORDER
THREAD
AUTHOR
SUBJECT


SEARCH

IPS HOME


    [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

    iSCSI IPsec-Related Algorithm Proposal



    David:
    
    Progress on completing the iSCSI draft RFCs is extending past the
    development deadlines necessary to allow 2002 product teams to complete
    their designs.  One open issue relates to selecting the specific IPsec ESP
    integrity (mandatory to implement) and confidentiality (optional to
    implement) algorithms for use with iSCSI.  Members of the working group have
    been focused until now on algorithms that would scale to 10 Gbit/sec.  Even
    though progress has been made at identifying promising candidate algorithms
    (AES-based PMAC Mode for integrity and AES-based Counter Mode for
    confidentiality - see http://csrc.nist.gov/encryption/modes/), this work
    will not be completed in time for inclusion in 2002 products.
    
    As a result, I would like to propose to the iSCSI Working Group a two-phase
    strategy for selecting the specific IPsec ESP integrity and confidentiality
    algorithms for use with iSCSI.  Since almost all 2002 products will be using
    1 Gbit/sec interfaces, phase one products would standardize on already
    approved IPsec ESP algorithms that can be scaled to 1 Gbit/sec and phase two
    products (i.e., 2003) would standardize on algorithms that can be scaled to
    10 Gbit/sec.
    
    Specifically, phase one products would use AES CBC MAC mode as the integrity
    algorithm and AES CBC mode as the confidentiality algorithm.  This proposal
    means vendors only have to implement a single base-algorithm with slight
    mode variations in order to have a complete 1 Gbit solution (integrity and
    confidentiality).  Adopting AES in phase one also establishes a foundation
    upon which to build phase two solutions (different modes of operation on the
    same base algorithm).
    
    While this proposal only addresses a small part of the total "iSCSI
    security" problem.  It would allow silicon vendors to finalize a critical
    part of their 2002 designs.
     
    Thanks
    
    Howard C. Herbert
    
    Product Architect
    Intel Corporation
    LAN Access Division
    Phone: 480-554-3116
    
    
    
    


Home

Last updated: Tue Sep 04 01:04:22 2001
6315 messages in chronological order