SORT BY:

LIST ORDER
THREAD
AUTHOR
SUBJECT


SEARCH

IPS HOME


    [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

    RE: FW: I-D ACTION:draft-aboba-ips-iscsi-security-00.txt



    Some additional issues raised at that workshop:
    
    1. Typical security protocols, in particular the IPsec transforms, require
    authentication to extend beyond the ciphertext to some additional cleartext
    (e.g., the SPI and replay counter for ESP). Such use needs to be carefully
    designed, and there are no current standardized proposals with proven
    security.
    
    2. To support ESP NULL, any such mode needs to be defined so as to support
    authentication without confidentiality.
    
    --Joe
    
    -----Original Message-----
    From: owner-ips@ece.cmu.edu [mailto:owner-ips@ece.cmu.edu]On Behalf Of
    Mark Winstead
    Sent: Monday, August 27, 2001 6:06 AM
    To: 'Black_David@emc.com'; sandeepj@research.bell-labs.com;
    ips@ece.cmu.edu
    Subject: RE: FW: I-D ACTION:draft-aboba-ips-iscsi-security-00.txt
    
    
    Last Friday, NIST held a modes of operation workshop (for the protection and
    privacy of sensitive but unclassified data, NIST authorizes suitable
    algorithms and techniques for use by federal government departments and
    agencies).
    
    OCB is one of three modes considered that achieve both privacy and
    authentication, as well as the potential to scale well for speed. All three
    either have patents or have been submitted for patents. IMHO w/o coding
    them, only two of the three, OCB and Integrity Aware Parallelizable Mode
    (IAPM) will scale well to support 10 Gbs and more. IAPM's patent is held by
    IBM, OCB by Phil Rogaway.
    
    The patent issue came up during the discussion time -- no one present knew
    of a provably secure mode with the properties of OCB that was unpatented.
    One could find an unpatented mode for privacy, say counter mode, and then
    add a MAC that provides authentication, but that is an extra step (plus I
    think you might run into the patent problem again in finding a MAC that will
    permit 10 Gbs speed).
    
    Mark Winstead
    
    -----Original Message-----
    From: Black_David@emc.com [mailto:Black_David@emc.com]
    Sent: Tuesday, August 21, 2001 8:17 PM
    To: sandeepj@research.bell-labs.com; ips@ece.cmu.edu
    Subject: RE: FW: I-D ACTION:draft-aboba-ips-iscsi-security-00.txt
    
    
    Sandeep,
    
    There is a patent on it, and a license is required to ship product.
    The license should be available under fair, reasonable, and non-
    discriminatory terms, but will not be free.  A reasonable guess
    would be that iSCSI licensing terms would be similar to the 802.11
    terms, and that a suitable IETF intellectual property rights notice
    will be forthcoming.
    
    OTOH, this does seem to run counter to the usual IETF preference
    for unpatented technology over patented technology provided that
    the unpatented technology is a functionally suitable replacement
    for the patented technology.  Whether there are functionally suitable
    unpatented replacements for OCB is an issue for further discussion,
    ditto the requirements and preferences that lead to the recommendation
    of OCB.  A draft on OCB would need to go through the ipsec WG if we
    were to use OCB, and my impression is that at least some portion of
    that community has a very strong preference for unpatented technology.
    
    I hope this is what you were looking for in the way of comments.
    
    Thanks,
    --David
    
    ---------------------------------------------------
    David L. Black, Senior Technologist
    EMC Corporation, 42 South St., Hopkinton, MA  01748
    +1 (508) 435-1000 x75140     FAX: +1 (508) 497-8500
    black_david@emc.com       Mobile: +1 (978) 394-7754
    ---------------------------------------------------
    
    
    > -----Original Message-----
    > From: sandeepj@research.bell-labs.com
    > [mailto:sandeepj@research.bell-labs.com]
    > Sent: Tuesday, August 21, 2001 7:49 PM
    > To: ips@ece.cmu.edu
    > Subject: Re: FW: I-D ACTION:draft-aboba-ips-iscsi-security-00.txt
    >
    >
    > David,
    >
    > Could you comment on the intellectual rights issues
    > here, particularly on AES-OCB, which will be mandatory
    > according to this draft (Sec 2.1)
    >
    > http://www.cs.ucdavis.edu/~rogaway/ocb/ocb-back.htm
    > mentions the licensing terms for 802.11 products.
    >
    > Secondly, appendix tables A.5 and A.6 seem to indicate
    > that AES-CTR+UMAC performance is better than AES-OCB.
    > Has AES-OCB been chosen since it requires lesser keying
    > material and memory ?
    >
    > thanks
    > -Sandeep
    >
    > > FYI - this is about use of IKE and IPsec algorithm selection
    > > considerations.  --David
    > >
    > > -----Original Message-----
    > > From: Internet-Drafts@ietf.org [mailto:Internet-Drafts@ietf.org]
    > > Sent: Tuesday, August 21, 2001 7:25 AM
    > > Subject: I-D ACTION:draft-aboba-ips-iscsi-security-00.txt
    > >
    > > A New Internet-Draft is available from the on-line Internet-Drafts
    > > directories.
    > >
    > > Title           : Securing iSCSI using IPsec
    > > Author(s)       : B. Aboba et al.
    > > Filename        : draft-aboba-ips-iscsi-security-00.txt
    > > Pages           : 35
    > > Date            : 20-Aug-01
    > >
    > > This document discusses how iSCSI may utilize IPsec to provide
    > > authentication, integrity, confidentiality and replay protection.
    > >
    > > A URL for this Internet-Draft is:
    > >
    http://www.ietf.org/internet-drafts/draft-aboba-ips-iscsi-security-00.txt
    >
    > Internet-Drafts are also available by anonymous FTP. Login with the
    username
    > "anonymous" and a password of your e-mail address. After logging in,
    > type "cd internet-drafts" and then
    > "get draft-aboba-ips-iscsi-security-00.txt".
    >
    > A list of Internet-Drafts directories can be found in
    > http://www.ietf.org/shadow.html
    > or ftp://ftp.ietf.org/ietf/1shadow-sites.txt
    >
    > Internet-Drafts can also be obtained by e-mail.
    >
    > Send a message to:
    > mailserv@ietf.org.
    > In the body type:
    > "FILE /internet-drafts/draft-aboba-ips-iscsi-security-00.txt".
    >
    > NOTE:   The mail server at ietf.org can return the document in
    > MIME-encoded form by using the "mpack" utility.  To use this
    > feature, insert the command "ENCODING mime" before the "FILE"
    > command.  To decode the response(s), you will need "munpack" or
    > a MIME-compliant mail reader.  Different MIME-compliant mail readers
    > exhibit different behavior, especially when dealing with
    > "multipart" MIME messages (i.e. documents which have been split
    > up into multiple messages), so check your local documentation on
    > how to manipulate these messages.
    >
    >
    > Below is the data which will enable a MIME compliant mail reader
    > implementation to automatically retrieve the ASCII version of the
    > Internet-Draft.
    >
    > ---------------------------------------------------------
    > + Date: Tue, 21 Aug 2001 09:29:53 -0400
    > + Content-Type:
    > multipart/mixed;boundary="----_=_NextPart_002_01C12A44.418236C0"
    >
    > ATT36560
    >
    > <ftp://internet-drafts/>
    > Transfer-mode: ftp.ietf.org
    > ---------------------------------------------------------
    >
    
    
    
    


Home

Last updated: Tue Sep 04 01:03:53 2001
6315 messages in chronological order