iFCP: security position

["Franco Travostino" <travos@nortelnetworks.com>]

After the interim meeting, we restate our security coordinates in the
following terms. Additionally, we have expanded our Irvine slides with
rationale text and insights that we learnt at the interim meeting. Such
amended slide set is available at
ftp://standards.nortelnetworks.com/san/ifcp_security_requirements-v2.pdf
Comments most welcome.

Keying: IKE

Pre-shared keys: MUST implement

Signature key authentication: MAY implement

Phase-1/Main Mode: MUST implement

Phase-1/Aggressive Mode: MAY implement

Phase-2/Quick Mode: MUST implement                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     Phase-2/Quick Mode + KE payload: MUST implement

Identities are IP addresses in all Phase-1/Phase-2 Modes

Integrity MAC:

HMAC-SHA1: MUST implement

AES (X)CBC MAC: SHOULD implement*

Encryption:

3DES CBC: MUST implement

AES CTR: SHOULD implement*

DES: SHOULD NOT implement

NULL: MUST implement

Encapsulation Style:

Tunnel Mode.

(*) IFF there is a Proposed Standard RFC that we can cite by the time we hit Last Call. HMAC-SHA1 and 3DES CBC suit us fine otherwise (as justified in the slides).

-franco
iFCP Technical Coordinator

Franco Travostino, Director Content Internetworking Lab
Advanced Technology Investments
Nortel Networks, Inc.
600 Technology Park
Billerica, MA 01821 USA
Tel: 978 288 7708 Fax: 978 288 4690
email: travos@nortelnetworks.com