|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: iSCSI IPsec-Related Algorithm Proposal> Specifically, phase one products would use AES CBC MAC mode as the integrity > algorithm and AES CBC mode as the confidentiality algorithm. This proposal > means vendors only have to implement a single base-algorithm with slight > mode variations in order to have a complete 1 Gbit solution (integrity and > confidentiality). Adopting AES in phase one also establishes a foundation > upon which to build phase two solutions (different modes of operation on the > same base algorithm). What would you recommend as reference specifications for these algorithms, and specifically their use with ESP? There are no RFCs specifying this, and I haven't seen an Internet-Draft on the MAC (there is one on use of AES for confidentiality). My personal preference would be for something AES-based (perhaps using one of the new SHA hashes in an HMAC instead of the AES CBC MAC) rather than falling back to things like SHA-1 and 3DES. Meanwhile, we have another issue. As of the outcome of the Nashua meeting, the minimum (MUST implement) requirement for keying ESP was manual keying. That's not going to be sufficient because there will be situations in which iSCSI causes ESP's 32-bit sequence number to roll over, creating a vulnerability to replay attacks. This is going to require specification of a MUST implement rekeying algorithm. IKE or a subset is one possibility, and working out the details of SRP-based keying (and rekeying) of ESP is another. A somewhat drafty draft on the latter may appear prior to London assuming that I can find the "copious spare time" to get it written. Comments? Thanks, --David --------------------------------------------------- David L. Black, Senior Technologist EMC Corporation, 42 South St., Hopkinton, MA 01748 +1 (508) 435-1000 x75140 FAX: +1 (508) 497-8500 black_david@emc.com Mobile: +1 (978) 394-7754 ---------------------------------------------------
Home Last updated: Tue Sep 04 01:04:22 2001 6315 messages in chronological order |