SORT BY:

LIST ORDER
THREAD
AUTHOR
SUBJECT


SEARCH

IPS HOME


    [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

    DRAFT Orange County Minutes



    I also appended my "iSCSI Security Directions and Rationale"
    message to these as it seems to be an important part of
    these minutes.  Comments/corrections to the list.
    
    Thanks,
    --David
    
    IETF IP Storage (ips) Working Group
    Orange County Interim Meeting
    August 27-28, 2001
    Irvine Marriott, Irvine, CA
    -----------------------------------
    
    -------> Day 1, Monday, August 27 - Fibre Channel protocol encapsulations
    <--------
    
    SCSI MIB effort is still aborning - those who are interested should contact
    chairs.
    This is needed by iSCSI.  Those who are interested should contact the
    chairs.
    
    -- FC Common Encapsulation - Ralph Weber, (Brocade)
    
    No major open issues.  Need more text on CRC definition.  Will need to clean
    up IANA text and put in reference for SOF* and EOF*.
    
    Reference to T10/T11 specifications - will need to work out issues of
    reference
    to T10/T11 <xxxx>r<nn> documents.  FC-BB-2, FC-FS are issues here, SAM-2
    will be
    crucial for iSCSI.  See chapter 3 of existing T10 and T11 documents for
    potentially
    useful text.  Given that IETF and ITU have figured out how to do this, T10
    and T11
    issues should be manageable.
    
    Document won't be last called until FCIP and/or iFCP is ready for WG Last
    Call.
    
    -- FCIP - Ralph Weber, (Brocade)
    
    TCP port issue - allow other than the standard ports??  This is about both
    NAPT and
    	the ability to put more than one FCIP entity at the same IP address,
    e.g.,
    	for debugging.
    
    Related issue is connection binding into a single ISL - if NAPT is used, the
    IP address
    	can't be used to do implicit connection binding, instead need a way
    to do explicit
    	connection binding as FC cares about which connections are part of
    which ISLs.
    	Can always unscramble this at the FC level, but that may be too
    late.
    	FC B_Port may not be able to get its hands on FC WWN info, so
    inserting it
    	earlier may not be possible.  NAT works.  Keith points out that
    current approach
    	uses IP address (layer 3) to do an FCIP (layer 5) demux. 
    
    Note that this implies that the current text may be necessary.
    
    Consensus call: Does FCIP need to support NAPT?  Sense of room: Yes.
    
    Discussion will need to go to the list.  There are a lot of details here
    that need to
    be handled on the list.
    
    Transit Time Validation computation - separation of FC Entity from FCIP
    Entity requires
    	specifying where the transit time is computed.  FC Entity is
    documented in
    	FC-BB-2.
    
    Sense of room: Move time validation into FC Entity from FCIP Entity, time
    stamps
    	measure FC Entity to FC Entity times (discard decision is FC Fabric
    decision).
    
    Use IP time services to get the job done.  Seems reasonable, FC-BB-2 has
    some details
    	to work out to make sure that FC vs. IP time services are used
    consistently and
    	provide similar level of resolution.
    
    Issue about failure detection/notification - goal is fail-fast, may have FC
    doing
    	connection failure detection above FCIP layer (TCP/IP).  Those would
    be FC
    	mechanisms.  Must do usual FC notification of loss of connectivity.
    
    IP - FC flow control mapping/management issue - Need a "there be dragons
    here"
    	warning.
    
    -- FC-BB-2 Assumptions and impact on FCIP draft - Murali Rajagopal,
    Lightsand
    
    There are a bunch of places that discuss required interaction between FC and
    FCIP
    	Entities.  New connection initiation and error recovery create
    coupled
    	interactions.
    
    Administrative interface - just require one, and see RFC 2401 for a worked
    example.
    	Discussing this as a database set up by administrative interface is
    fine.
    	Notifications DO NOT flow through the database, need a description
    of functional
    	interaction of the FC and FCIP entities.
    
    -- FCIP MIB - Anil Rijhsinghani, McData
    
    Relation to FC Mgmt MIB will cause changes.  Building on existing MIBs is a
    good thing,
    	but FC Mgmt MIB didn't do that, and hence will change significantly.
    
    TCP DSCP setting entity needs to be bit-bucketed.  Use a PHBID to indicate
    this -
    	see RFC 3140.
    
    Exiting TCP MIBs have counters that span all connections.  Connections will
    be long-
    	lived, and hence per-connection counters make sense.
    
    Connection options - how do you specify them given that table entries are
    created
    	as a result of connection creation, and these are needed to create
    the
    	connections?  Do you need a profile table to be used in creating
    connections?
    	If so, need two tables.
    
    Add discussion of related MIBs in initial text of draft.
    
    Align to forthcoming -06 version of FCIP draft (e.g., DLY_LIM has been moved
    into
    	FC Entity).  May need to pick up some things from SLP and static
    discovery.
    
    Should look at FC Entity (switch element) MIB for alignment.  There's
    overlap
    	between this and FC Mgmt MIB.  Don't see any need to fold FCIP MIB
    into
    	either FC Mgmt or FC Entity MIBs.
    
    -- FCIP Discovery - Dave Peterson, Cisco
    
    Scope and domain issue.  Domains overlap, scopes don't.  Scope defines outer
    limits
    	of connectivity - within the scope, domains define connectivity.
    Domains
    	are an addition to the SLP notion of scope, and a system can belong
    to more
    	than none domain within a scope.  This is about link establishment -
    access
    	control would be via FC Zoning at FC level.
    
    FCIP DA usage is highly recommended, but not required.  SLPv2 is REQUIRED
    due to
    	constraints on SLPv1.  iSCSI also only allows SLPv2.  SLPv2 RFCs are
    at
    	Proposed Standard, moving to Draft Standard.  
    
    Open issue of how domain relates to "site network" concept in SLP - will be
    taken
    	to list.
    
    NAT issue is open - will have to look at management IP address and whole
    concept
    	of SNMP through NATs is peculiar.  Also affects iSCSI.  Using DNS
    and default
    	ports helps a lot with NAT boxes.
    
    Will coordinate with FCIP MIB.
    
    FCIP entity name (WWN) should always be generated automatically.
    
    Is fabric name/principle switch needed for FCIP discovery?  Take this out.
    
    Nit: Take out "L" on string templates, except that transports remains "M L".
    
    Combine mgmt-entity and mgmt-ipaddr into URL, and require that there be an
    	SNMP agent at that address that supports FCIP MIB and related
    required MIBs.
    	Q: Multiple URLs?  A: just one, protocol is SNMP, and FCIP MIB must
    be there.
    
    Security entries in template TBD based on FCIP security approach.
    
    -- iFCP - Charles Monia, Nishan
    
    - Frame Lifetime measurement issue.  R_A_TOV default is 10 sec.
    
    Want large safety margin on max timeout through IP portion of FC fabric -
    factor of 2
    	suggested.  Want to avoid need for fine-grained SNTP queries.  Want
    to set
    	this timeout (IP_TOV) via. iSNS or other management interface.  iSNS
    will
    	have location of SNTP server to use, need .125 sec resolution,
    100ppm max
    	drift.  .125 sec drift every 10 minutes.  
    
    Add note to spec about implementation techniques that can achieve 100ppm
    (probably
    	crystal, not LC oscillator).
    
    Gateway parameters - IP_TOV value, reaction to loss of SNTP sync (cease time
    calc.
    	vs. shut down), and frequency of SNTP queries.  Define loss of sync
    (number
    	of missed SNTP queries).
    
    Concepts appear to be applicable to FCIP, details will vary (e.g., time
    budget).
    
    - IPFC and iFCP
    
    This is mostly about this being possible.
    
    Have to support IPFC broadcast, and ELSs used by ARP and FARP. Added
    	optional IPFC to IP gateway (done based on N_Port that passes only
    IP
    	datagrams to IP network).
    
    Fragmentation MUST respect DF bit.
    
    May have to gather several IPFC frames to build one IP packet because IPFC
    "packet"
    	may be spread across multiple frames.
    
    It's not clear that this even belongs in the iFCP document, as it's entirely
    about an
    	implementation technique (it's basically describing the details of
    how
    	to build an (IP)FC blade for an IP router).
    
    - iFCP Fabric Services Profile
    
    Gateways must support Class 2 and Class 3, and must support Sequential
    Delivery - FLOGI.
    
    Fabric Services - F_Port server, fabric controller, directory/name server.
    	SCN (State Change Notification) is gone from FC-FS, and can be
    removed.
    
    Broadcast service is optional.  No support for Management, time, alias, and
    key
    	distribution services.
    
    Craig Carlson (T11.3) - may need to support Management Service.  Broadcast
    may become
    	mandatory in FC-SW-3.  Take this presentation to FC-BB-2.  FC-MI
    does not
    	require any of these for a fabric, but management server may be
    needed in
    	practice.
    
    David Black - this sort of issue is "what makes an FC fabric an FC fabric?"
    and
    	hence are primarily T11.3 issues.
    
    - TPRLO Augmentation
    
    TPRLO instructs receiver to terminate one or more process logins.  Primarily
    used
    	within cluster context to force clean failover.
    
    Augmentation adds data, may hit max frame size.  Hence may have to add
    frames via
    	increased SEQ_CNT (no SEQ_ID change).
    
    - TCP/IP options for iFCP
    
    David Black - should be conservative about specifying option usage.
    
    Keep Alive - SHOULD NOT use, FC will handle this.  Should be lower case.
    Nagle (tiny segment avoidance) - Should not use, lower case, not
    capitalized.
    		Can be set per-connection.
    Window Scale and Wrapped sequence - should use, lower case, not capitalized
    SACK - Pick up recommendation from RFC 2883 (SHOULD do SACK for TCP?)
    otherwise
    	lower case "should".
    Cong control w/fast recovery [RFC 2581] - same as SACK.
    ECN - Standards track RFC is about to appear, and echo recommendation from
    it, like
    	previous two.
    
    Discussion of TCP RST - may be a useful tool to get TCP connections to "fail
    fast"
    	when FC has decided that there is loss of connectivity.
    
    -- iFCP MIB - Kevin Gibbons, Nishan
    
    First version of MIB has been submitted as draft-tseng- ...
    
    Will look at existing FC MIBs, and see what it makes sense to import.
    
    Sense of room: Adopt iFCP MIB as official IPS WG draft.
    
    Minutes of teleconferences to be forwarded to ips reflector.
    Action item: iSCSI MIB folks need to report their work.
    
    - iFCP discovery - Josh Tseng, Nishan
    
    Use SLP to discover location of iSNS server.  Use iSNS with iFCP.  No open
    issues.
    
    - FC-BB-2 relationship - Ralph Weber (Brocade) and Murali Rajagopal,
    Lightsand
    
    FC Entity is now intended to be common to FC-BB (ATM and SONET) and FC-BB-2
    (IP),
    hence want to put all IP configuration and related specifics into FCIP spec
    rather
    than FC-BB-2 spec.  Management details are not shown on the diagram and are
    potentially vendor specific.  Diagram is from an FC-BB-2 5.1 draft.
    
    Discussion of ISL connecting two E-ports 1-1.  Instead of creating multiple
    virtual
    E-ports, might want to modify FSPF to allow 1-many connections from a single
    E-port.
    
    - NAT issue - Larry Lamers, SAN Valley
    
    Extensive editing of Larry's diagram and discussion of the various peculiar
    things
    that forms of NAT and NAPT can do.  See RFC 2663 for more.
    
    -----> Transition to MIB Mechanics Session <--------
    
    -- Tips on MIB Design - Keith McCloghrie, Cisco
    
    Subtitle: Some (not well-enough known) SMIv2 design issues.
    
    MIB should not be intended to be the only MIB that a product implements.
    	- MIB-II has now been split into a bunch of individual MIBs.
    		- RFC 1907 requires system and snmp groups in all agents
    		- all network I/Fs must be represented in ifTable
    		- Media-specific extensions to ifTable. [FC Mgmt integration
    MIB
    			needs to follow this approach, ditto Fabric Element
    MIB].
    		- Important MIBs in this regard: Interfaces MIB [RFC 2863],
    and
    			Entity MIB [RFC 2737]
    	- Moral: omit information that is more generic than MIB's function.
    		- Feel free to propose addition to other MIBs, e.g., Entity
    MIB
    			(Keith asked Entity MIB WG chair to raise specific
    additions
    			 from fcmgmt MIB to Entity MIB as a possible WG work
    item).
    
    Q: Should media-specific MIBs AUGMENT generic MIBs?
    A: No, AUGMENTS implies 1-1 mapping of rows across the 2 MIBs.  Not all
    interfaces
    	are Ethernet interfaces, but may use same index as ifTable, even
    though not
    	all rows from the interfaces MIB will be present in Ethernet MIB.
    Augment
    	is useful for dealing with things at different levels of
    standardization
    	(including vendor-specific extensions to a standard MIB).
    
    Q: Can additional values for standard enumerations be defined in
    vendor-specific
    	extensions?
    A: Not for enumerations because additional values may conflict with
    subsequent
    	standard definition of those values.  Use Object Identifier (OID)
    instead of
    	enumeration in the original MIB to allow this sort of thing, as any
    vendor
    	can get an object identifier and put it in without fear of conflict.
    	Example: Encryption and Authentication algorithms are defined using
    OIDs.
    Q: How are privately defined OIDs kept from conflicting?
    A: Enterprise object identifier, allocated by IANA.  OIDs are
    tree-structured, hence
    	this OID allows others to be created.  Need to think about OID
    structure,
    	as narrow deep trees create long OIDs.  Vendor-specific MIBs should
    be
    	published, along with list of OIDs used as entry values in the MIB.
    Careful
    	structure of OID space (e.g., all encryption algorithms are rooted
    at one
    	OID) helps decipher meaning of newly seen OID.
    
    iSCSI MIB had a narrow/deep OID structure because it used OID tree to
    contain
    	connection objects in session objects.  Containment and inheritance
    should
    	not be captured via OID nesting - these are better done as separate
    tables
    	using INDEX or AUGMENTS to handle relationships between rows in
    tables.
    
    Each extra level adds about 20% overhead to representation - this can have
    	nasty consequences for GET BULK.  Examples in which extra depth adds
    value:
    	- Ease of administration (avoid duplicated subtrees)
    	- configuring View-based Access Control (RFC 2575): this has a
    subtree-based
    		structure.
    
    Objects, Notification, and Conformance are the three usual nodes underneath
    the
    	root object/OID for the MIB.  Structure beyond there (e.g., within
    Objects
    	subtree) varies.  SMI requires that notification prefix be object 0.
    This
    	avoids confusion when converting SNMPv1 traps to SNMPv2 by prefixing
    a zero
    	that can't otherwise appear in the OID (guarantees that when mapping
    v1 trap
    	to v2, one can't generate an otherwise existing OID) - hence have to
    use
    	that zero in order to make the corresponding conversion work in the
    reverse
    	direction.
    
    Writable MIB objects.  Lack of security in SNMPv1 is not an excuse for no
    writable
    	objects.  Can always not implement write, but MAX-ACCESS clauses
    cannot be
    	upgraded - to change from MAX-ACCESS that forbids write to one that
    allows
    	it, one has to deprecate the old objects and define new ones.  If
    write makes
    	sense, allow it in MAX-ACCESS (maximum that makes "protocol sense").
    Even
    	with SNMPv1, it may make sense to allow write on isolated network.
    MIN-ACCESS
    	is minimum required for compliance (e.g., can have read/write MAX,
    but
    	read-only MIN).
    
    Q: Are objects mandatory by groups?
    A: By and large, yes.  This is to simplify management station construction,
    so
    	that a management station can assume that all objects in a group are
    present
    	if the group is implemented rather than having to check each one
    individually.
    
    Integer-valued object rules
    - Enumerations MUST use INTEGER, not Integer32 or Unsigned32
    - Range based rules for numbers to use Integer32 or Unsigned32 (see Keith's
    slides)
    - When using an integer as an Index, use Unsigned32, but exclude 0 as
    reserved value
    	for "does not exist".  If 0 allowed in range, MUST specify a good
    reason.
    
    Counters are only meaningful when taking differences between samples, time
    period
    between samples must be less than minimum wrap time.  A Snapshot of a
    Counter is
    called a Gauge, and does not change.  Counters can have discontinuities
    (e.g., if
    module is replaced).  MIB needs to record timestamp of discontinuity - mgmt.
    app
    can look at this to determine that a discontinuity has occurred and hence
    old
    counter values have to be discarded as differences across discontinuity are
    invalid.
    sysUpTime is an obvious example, ifCounterDiscontinuityTime [RFC 2863] and
    	etherSTatsCreateTime [RFC 2021] are two others.
    
    Q: Can ifTable indexes be reassigned?
    A: Only if it's known to be the same interface or after reboot.  If in
    doubt, don't
    	reuse the old index values.  ifIndex values need not be in some
    hardware
    	scan order.  This gets much worse when interfaces can be dynamically
    	created.  Avoid temptation to overload index with some sort of
    hardware
    	slot number or the like - define a separate MIB element that is the
    slot number.
    
    RMON2 defines ZeroBasedCounter32 for use in rows that exist for a short
    time.
    	Row has a create time at which the counter can be assumed to have
    been
    	zero provided that the minimum wrap time has not passed since then.
    
    64-bit numbers: SMIv2 defines Counter64, but not Gauge64 or Unsigned64.
    - This is a problem, RFC 2856 defines a couple of TC's with Counter64
    syntax:
    	- CounterBasedGauge64 (snapshot of counter64)
    	- ZeroBasedCounter64 (64 bit equivalent of ZeroBasedCounter32)
    
    Miscellaneous:
    	- Descriptors of 32 characters or less, no hyphens there or in
    labels.
    	- MIB lines less than 80 characters
    	- Specify ranges for all INTEGERs, sizes for all OCTET STRINGs
    	- enumerated values should be arbitrary, not explicitly selected
    		to correspond to something else (e.g., if 6 is TCP, this
    		is an IP protocol number, so call it that).
    Include "Relationship to Other MIBs" section
    Extend ifTable for network interfaces (not augment).
    
    iSCSI MIB gets the protocol number issue correct and has port number support
    	for dealing with IPv6.
    
    Q: MIB relationship structure?
    A: ifStackTable helps with structure of stacked protocol MIBs, esp. below
    IP.
    
    Q: Name clashes?
    A: Standard MIBs tend to have unique prefixes.  Enterprise MIBs should start
    with
    	name of enterprise.  This isn't perfect, but tends to work
    reasonably well.
    
    Q: How does IESG check MIBs?
    A: Dave Perkin's smicng tends to be the most comprehensive in making checks?
    
    Q: SNMP security direction?
    A: Need is increasing, but some large operators use brute force solutions
    (e.g.,
    	block all SNMP traffic at ingress points).  Internal threats
    becoming more
    	of concern and entail use of SNMP security as a countermeasure.
    Note that
    	jump from SNPMv1 to SNMPv3 w/DES is much larger than DES to 3DES or
    AES.
    
    Q: SNMP key exchange/distribution?
    A: Small number of management stations need to talk to all agents.  Key per
    	management station w/localization to make it unique per agent scales
    nicely.
    	Kerberos integration w/SNMP has been proposed.
    
    -------> Day 2, Tuesday, August 28th - Security <----------
    
    - IETF security requirements discussion - David Black, EMC
    	- MUST implement, OPTIONAL to use.  Best we can do is require
    security tools to
    		be available for use of protocol in environments where
    they're needed.
    		Vendors may choose to do poor security implementations -
    can't control that.
    	- Confidentiality is now required
    	- If an "external" gateway is used, only the "public" interface of
    the gateway
    		is compliant, there's a risk if there's a significant
    network between the
    		"private" interface of the gateway and the iSCSI/iFCP/FCIP
    system.
    
    - iFCP security requirements - Franco Travostino, Nortel
    
    	Current proposal - ESP tunnel mode, 3DES, HMAC-SHA1.  Assuming that
    lots of
    		sessions between the two gateways so 3DES keys don't expire
    quickly.
    		No free lunch for rekeying - for XX MB/sec traffic, have to
    do a
    		rekeying event every Y hours.  That Y is a constant
    independent of
    		number of SAs (one rekeying event every Y hours).  This does
    help
    		with ESP sequence space exhaustion.
    	No interest in software implementations, hence 3DES software
    overhead is
    		NOT an issue.
    	Want to use off-the-shelf IKE, and require PFS.  iSNS can store
    security
    		policies.  May not want to do PFS every time - one
    possibility is
    		to rekey the phase 1 SA (which always does a D-H) at the
    points where
    		PFS becomes required.
    	Tunnel mode works better w/VPNs and existing external gateways.
    	IKE + DHCP combination can be messy - unclear whether this is
    necessary.
    
    - FCIP security requirements - Venkat Rangan, Rhapsody
    
    	Very little native FC security, long-lived TCP connections.
    	Want to enable external gateways, but provide end-to-end security
    (FC Entity
    		to FC Entity).
    	Don't want to do inband security negotiation - FCIP has no explicit
    login.
    	Note: Word "Manual" was not intended for keying mechanism,
    pre-shared keys.
    	Prefer AES with some suitable operating mode.  OFB?
    
    Issue: ips wg vs. ipsec wg selection of required operating modes.
    Suggestion
    	to defer selection of MUST implement algorithms/modes 100% to ipsec
    WG.
    	Unfortunately, DES is currently a MUST there, which doesn't make
    much sense.
    
    	Keying: IKE is fine, SRP would have to be used on an out-of-band
    connection.
    
    	Authentication modes: RSA signature key, always mutual
    authentication in IKE.
    		For non-mutual authentication, fake a self-signed
    certificate.
    		Pre-shared authentication key is defined.  Informational RFC
    coming
    		on how to do GSS authentication in IKE with Kerberos.
    	Pre-shared key would work for connecting peer gateways, but has
    admin
    		scaling issues as scenarios scale up.  Pre-shared key is
    very
    		commonly used for IPsec VPN implementations - seems to match
    with
    		FCIP and iFCP.
    
    	T11.3 is working on authentication for FC-SW-3 - this could
    authenticate
    		and generate keys, but relying on that is probably not a
    good idea.
    
    - iSCSI security requirements - Mark Bakke, Cisco
    
    	Who/what to authenticate - machine vs. some concept of "user".
    Currently,
    		machine, but some sort of "user" may be in future.
    Sequential tape
    		sharing solutions are already headed in this direction.
    
    	SCSI is working on LUN level access control.  Most shared disk
    vendors have
    		individual solutions to this problem.
    
    	There's an important distinction between system (e.g., IPsec) and
    initiator/
    		target authentication.  Latter is more general, as one could
    create
    		different initiators and targets for the apps/users (e.g.,
    dedicated
    		to backup application) - this is multiple logical
    initiators/targets
    		per system.
    
    	Web analogy - client authenticates server machine, server
    authenticates client
    		user.  Initiator would authenticate device server, target
    would authenticate
    		initiator access to LUs.
    
    NOTE: An extensive description of iSCSI security decisions made at this
    meeting
    	along with their rationale has been posted to the mailing list.
    These
    	minutes are a bit on the brief/sketchy side.  The message from the
    list
    	is appended to these minutes - see below.
    
    - iSCSI Inband Keying of ESP - David Black, EMC
    	[Section 6 of draft-black-ips-iscsi-security-01.txt]
    	
    	See slides.  Basic idea is to use the keys that iSCSI inband
    authentication
    	will generate anyway (CHAP doesn't) to key ESP.  Negotiation and
    Startup are
    	problem areas, Rekeying is manageable.
    
    - IKE and iSCSI - William Dixon, Microsoft
    	[Part of draft-aboba-ips-iscsi-security-00.txt]
    
    	Description of IKE and IPsec functionality.
    
    	Distributed filesystem scenario - only machine authentication
    (fileserver doesn't
    		know the user when it establishes iSCSI access to storage).
    	Multiuser server scenario - may have user credentials in some cases.
    Filesystem
    		in OS has to manage which users can access what.
    	If iSCSI users are distinguished, that will be done via separate
    initiators.
    		Note that user authentication decisions will often be
    remoted by targets
    		to take advantage of centralized authentication
    infrastructure.
    	IPsec target running in "secure mode" would require all traffic to
    be IPsec-secured.
    
    	Need to subset IKE to get a meaningful set of options for
    interoperability.
    		Will have to pick the right ones and make them "MUSTs".
    	Can't protect against malicious software on same machine as iSCSI -
    everything
    		has access to the top of IPsec (especially of concern if
    there's malicious
    		kernel driver).  Requires inband iSCSI authentication and
    trust in OS
    		to defend against.
    	
    	Ignore material in draft that ties phase 2 SAs to individual TCP
    connections,
    		but still likely to have phase 2 SA per TCP connection.
    
    	Proposed IKE profile - Identity protect mode Main + Quick (not
    aggressive).
    		- Use transport encapsulation
    		- 1024 bit DH group
    		- 3DES/SHA-1 or AES/SHA-1 [SHA-1 HMAC]
    		- iSCSI responsible for deleting phase 2 SAs when TCP
    connection goes away.
    
    	IKE naturally matches a machine trust model.  User authentication
    requires
    		additions to current state of IKE implementation/deployment.
    Separate
    		authentication for key generation (machine - IKE) from
    authentication
    		for access (machine or user - iSCSI).
    
    	PKI for certificate management is not widely available.  E.g. Free
    S/WAN for
    		Linux does not handle certificate authentication.  When cert
    mode is
    		used, all certs are self-signed, hence no machine trust
    infrastructure.
    	In contrast, Kerberos is widely available.  So, use pre-shared key,
    and
    		IKE-GSS-AUTH for Kerberos v5.  Pre-shared key could be the
    mandatory
    		to implement method, but will have scalability issues over
    time.
    
    	Need tunnel mode to work with external gateways.  MS will not ship
    AES support
    		for Windows for at least 12 months.
    
    Consensus calls on keying direction:
    	iSCSI - use IKE keying
    	iFCP - use IKE keying
    	FCIP - about evenly split between IKE and "not sure".  Proposal to
    be
    		posted to list by FCIP authors.
    
    Need to talk about IKE authentication methods and transport vs. tunnel mode
    on list.
    
    -- NIST AES Modes of Operation Workshop Report - Howard Herbert, Intel
    
    - CBC MAC and extension modes:
    	CBC MAC is not secure unless all "messages" are same length.
    Problem for
    	IP Packets.  XCBC (2 add'l keys) and RMAC (1 key + random number)
    both change
    	computation of last block.  Workshop recommended XCBC be added to
    CBC MAC.
    - Next generation MACs: PMAC, XECB MAC, and UMAC
    	Both PMAC and XECB MAC have patents filed, and each patent
    cross-claims the
    	other algorithm, so nasty patent issues.  UMAC is not suitable for
    dedicated
    	hardware due to size of key schedule and crypto state.  NIST will
    continue
    	to look at PMAC and XECB MAC, but neither will be standardized now.
    - Next generation combined (authentication and encryption) modes: OCB, XCBC,
    IAPM
    	IPsec issue - "associated data" problem, IPsec has to authenticate
    data that
    	is not encrypted.  ESP must send SPI and sequence number in clear
    and must
    	authenticate them.  OCB may be extensible to deal with this.  All
    three
    	algorithms have patents filed and cross-claims, again a mess.  Note
    that
    	some countries make import regulation distinctions between
    authentication
    	and confidentiality (e.g., China), so combined mode could run afoul
    of
    	resulting regulatory restrictions.  NIST will continue to look at
    OCB.
    - Draft NIST modes spec:
    	ECB, CBC, CFB, OFB, CTR, CBC MAC : counter mode is new, others
    already exist.
    	Draft will provide "guidance", but leave details (e.g., construction
    of
    	counter) to others (e.g., IETF).
    
    NIST is prepared to standardize modes covered by patents, but doesn't seem
    to be
    	prepared to take out general use licenses for required patents.
    
    Howard's recommendations for ESP:
    	- Now: AES CBC MAC + XCBC.  AES CTR mode for confidentiality.
    	- Next generation: PMAC or XECB MAC.  AES CTR mode for
    confidentiality.
    	- Continue to look at OCB combined mode.
    
    Discussion of various things.
    
    -- Hardware considerations - Joe Tardo, Broadcom
    
    MAC: HMAC-SHA-1 recommended, not AES CBC MAC.
    Crypto: AES/Counter mode, not 3DES CBC.  Rekeying time issues are a problem.
    	Issue is what the counter looks like to enable packet by packet
    processing.
    
    -- iSCSI Wire Protection w/IPsec - William Dixon, Microsoft
    	[Part of draft-aboba-ips-iscsi-security-00.txt]
    
    Reminder that IPsec SA management (phase 2) is decoupled from iSCSI, iSCSI
    tells
    	IPsec when to tear them down (change to aboba draft).
    
    Idling out - iSCSI links will need to idle out, iFCP will be able to do so
    based
    	on traffic not going across a particular N_Port pair.
    
    Discussion - when IPsec hits resource exhaustion and can't set up or rekey
    SAs,
    	one loses connectivity, and the results can be ugly.  This has to be
    tested
    	for and should be the rough equivalent in effect and likelihood of
    hardware
    	failure.
    
    Sequence number rollover - 10Gbps w/64-byte packets need to rekey about
    every 3
    	minutes.  That's doable, but there's a bigger problem - @ 10Gig due
    to 64
    	bit block size of 3DES, need to rekey every 30 sec or less, and
    that's hard
    	if IKE is not in kernel mode.
    
    MAC Recommendation: HMAC-SHA1
    Crypto Recommendation: AES at some mode.
    	- 3DES ok up to 1Gbit, not good at faster speeds.  Can be
    recommended, but
    		shouldn't be the MUST implement.
    
    Consensus calls for iSCSI:
    	- HMAC-SHA1 is MUST implement
    		SHA2 may be useful for increased speed.
    	- Enhanced AES CBC MAC is a promising candidate for SHOULD
    		Howard Herbert will look into this further - issue is
    stability
    		of changes NIST intends to adopt and time period for ipsec
    WG
    		standardization of result.
    	- Crypto: 3DES/CBC is a MUST, AES/Counter is a SHOULD (no
    availability
    		of hardware is a good reason for ignoring a SHOULD).
    	- Transport vs. Tunnel encapsulation: Defer decision to the list
    
    -- iSCSI Authentication
    
    SRP - Stanford and other IPR issues to the list.
    Josh Tseng will take a look at PKI implications for iSCSI authentication
    methods
    	(SPKM-1 and SPKM-2) and figure out what's the right thing to do.
    
    -- FCIP Security Discussion
    
    Security design needs to be public/on the list.
    Discussion of tunnel vs. transport mode.  Can get the cert processing rules
    too
    	general and not get end-to-end security, pre-shared key tends to
    result in
    	end-to-end.  Tighter specification of cert processing rules can also
    yield
    	end-to-end bias.
    
    --------------- iSCSI Security Directions and Rationale Summary
    ---------------
    
    This message was sent to the mailing list as a detailed explanation of the
    iSCSI security directions adopted in the interim meeting and the rationale
    for them.
    
    From: Black_David@emc.com
    Sent: Thursday, August 30, 2001 8:15 PM
    To: ips@ece.cmu.edu
    Subject: iSCSI Security directions and rationale
    
    The purpose of this message is to state the recommended
    security directions for iSCSI from the interim meeting and
    describe the rationale for them.  Objections to these
    decisions may be made on the list, but they need to have
    *good* technical reasons.  I apologize for the length of
    this message, but we spent a while on this in the meeting,
    and I wanted to get all the considerations into this message.
    
    First, an important piece of procedural context.  In order to
    specify a security algorithm (cipher and mode, or integrity MAC),
    we need a separate RFC to cite.  For algorithms without RFCs,
    the work to create such an RFC occurs in the ipsec WG, not here.
    Given the anticipated timetable for iSCSI, any new RFC for such
    an algorithm needs to be in ipsec WG Last Call and ideally
    submitted to the IESG by early next year, otherwise approval
    of the iSCSI RFC gets held up until that algorithm RFC is ready.
    The proposed charter revision for the ipsec WG (posted for
    comments on August 9) anticipates the following work on
    algorithms between now and the end of the year:
    
    3)  New cipher documents to support AES-CBC, AES-MAC, SHA-2, and 
    	a fast AES mode suitable for use in hardware encryptors
    
    The "fast AES mode suitable for use in hardware encryptors" is
    likely to be counter mode.  In practice, NIST is functioning
    as a gateway to the ipsec WG in this area, in that if NIST is not
    prepared to recommend a cipher/mode or MAC algorithm, the ipsec
    WG is unlikely to work on it seriously in the next few months.
    Hence as a practical matter "NIST is not prepared to recommend"
    is fatal to the inclusion of an algorithm in the current iSCSI
    specification.
    
    There were four major security issues considered at the interim
    meeting.  Here's a summary of the issues and recommendations:
    (1) Keying - inband (SRP/ESP) or IKE subset
    	Recommendation: IKE subset.  No further work to be done
    		on inband keying and it will not be specified.
    (2) Integrity MAC - many possibilities
    	Recommendation: HMAC-SHA1 as "MUST implement", AES CBC MAC
    		with XCBC extensions as "SHOULD implement", subject
    		to verification that this is consistent with the
    		ipsec WG's standardization plans.
    (3) Encryption algorithm and operating mode - many possibilities
    	Recommendation: 3DES in CBC mode as "MUST implement", AES
    		in counter mode or whatever "fast AES mode suitable
    		for use in hardware encryptors" is standardized by the
    		ipsec WG as "SHOULD implement".  As previously noted
    		on the list, NULL encryption is "MUST implement".
    (4) Encapsulation mode - transport vs. tunnel
    	Recommendation: Unable to reach reasonable consensus.  This
    		is wrapped up in external gateway and end-to-end
    		security issues as will be explained below.
    These recommendations are subject to further comment on the list,
    but I would ask that anyone who comments make sure that they
    understand the rationale described below.  In the absence of 
    serious objections, I intend to call consensus on the first
    three items above in the near future.
    
    Let me also note that nothing in this message excludes any
    algorithm from implementation  - this is entirely about what
    algorithms to REQUIRE (MUST implement) or RECOMMEND (SHOULD
    implement).  The one exception is DES, which is sufficiently
    weak to justify "SHOULD NOT implement" wording (IMHO).  Usage
    is negotiable in all cases.  We may want or need to revisit
    these recommendations in the future when the iSCSI specification
    is closer to being issued as an RFC in light of developments
    between now and then.
    
    - Keying Rationale
    
    Inband keying has negotiation and startup weaknesses.  The best
    that can be done with negotiation for the inband keying approach
    detects tampering with security negotiation after the fact (at
    which point one has to abandon the connection and start over),
    whereas IKE can prevent tampering.  There is no good solution for
    starting ESP underneath an existing TCP connection.  IKE can be
    implemented within memory requirements that are reasonable for
    embedded devices (see draft-aboba-ips-iscsi-security-00.txt),
    and IKE implementations are readily available in contrast to new
    work that would be required for inband keying.  IKE can also be
    judiciously subsetted to cut down on the complexity objections
    to it (more on this in a separate thread).  In addition, there is
    some desire for FCIP and iFCP to follow iSCSI's security direction,
    and inband keying is a poor fit to these protocols, especially
    FCIP.
    
    - Integrity MAC Rationale
    
    There are three classes of candidate MAC algorithms:
    (1) New MACs (e.g., UMAC, PMAC) and new encryption operating
    	modes that incorporate MAC functionality.  NIST is not
    	prepared to recommend any of these at this time, and hence
    	they have to be ruled out for iSCSI.  Unfortunately, all
    	of the MAC algorithms likely to have high performance in
    	hardware fall into this category.  In addition, with the
    	exception of UMAC, all of these sorts of algorithms considered
    	at the Modes workshop have serious intellectual property (i.e.,
    	patent) issues.  Since UMAC has been of particular interest
    	in the past, I should note that the developer of UMAC asked
    	NIST not to consider it (and to consider PMAC instead) because
    	UMAC is a poor fit to hardware implementations.  NIST will
    	be considering algorithms of both sorts (including PMAC)
    	for possible future recommendation.  
    (2) AES CBC MAC.  NIST was initially prepared to recommend this,
    	but it was modified at the Modes workshop to include the XCBC
    	extension to improve security for variable size messages.
    	NIST is prepared to recommend the result, but we need to check
    	that the ipsec WG will proceed to standardize AES CBC MAC as
    	modified in this fashion.  Between this and the newness of
    	the modification, AES CBC MAC is most appropriate as a
    	backup (in case a serious security flaw is discovered in our
    	primary algorithm) and hence is recommended as "SHOULD
    	implement" subject to verification with the ipsec WG
    	(Howard Herbert is working on that verification).
    (3) HMAC-SHA1 and HMAC-MD5.  This is what's left.  They're stable,
    	well-known, widely implemented, but not exactly fast.  Of the
    	two, HMAC-SHA1 is the better choice, as a security issue has
    	been discovered with MD5 (as pointed out in the meeting, the
    	issue doesn't compromise HMAC-MD5, but the "where there's smoke"
    	principle suggests that HMAC-SHA1 is the better choice).  SHA2
    	was felt to be more of a performance improvement for SHA1 and
    	not sufficiently different from SHA1 to provide meaningful
    	protection if a security flaw is found in SHA1, motivating
    	the choice of AES CBC MAC as modified by XCBC as the second
    	MAC algorithm.
     
    - Encryption Algorithm and Mode Rationale
    
    After the WG chair exercised his prerogative to exclude DES from
    consideration, four algorithm/mode possibilities were considered:
    	- AES in Counter and CBC Modes
    	- 3DES in Counter and CBC Modes
    3DES Counter Mode is a new mode for 3DES; the ipsec WG does
    not appear to have any current plans to standardize it, and
    that eliminates 3DES in Counter Mode from consideration.
    The point of choosing AES would be to get an algorithm/mode
    combination with high performance in hardware and software.
    There's unlikely to be a significant difference between CBC
    Mode and Counter Mode in software, but Counter Mode can be 
    much faster than CBC in hardware, hence Counter Mode makes
    a lot more sense for AES than CBC Mode.
    
    Between 3DES in CBC Mode and AES in Counter Mode (or possibly
    some other fast mode for hardware encryptors selected by the
    ipsec WG), 3DES/CBC is specified, stable, and deployed (and
    implementations are available).  Counter Mode for AES is not
    completely specified yet, and AES implementations are not
    currently widely available.  Hence 3DES in CBC Mode was
    recommended as "MUST implement" and AES in Counter Mode or
    whatever fast mode for hardware encryptors the ipsec WG
    selects as "SHOULD implement" (e.g., inability to get
    high performance hardware can be part of a valid reason
    to ignore a "SHOULD").  NULL encryption needs to be "MUST
    implement" in order to allow ESP to be used for keyed
    cryptographic integrity without encryptions.  
     
    - Encapsulation Mode
    
    Given the decision to use IKE, a decision to use tunnel mode
    encapsulation would result in iSCSI security *exactly matching*
    the functionality of an IPsec security gateway (Bump In The
    Wire).  Security gateways can be deployed anywhere, and as a
    result, it's quite easy for the security obtained from gateways
    to be other than end-to-end.  Based on discussions with ADs and
    other knowledgeable folks in London, I believe that the IETF
    Security Area and the IESG have a preference for end-to-end
    security solutions.
    
    Since most security gateways do not support transport mode
    (there are a few that do, but they are the exception, not
    the rule), REQUIRING transport mode would bias the iSCSI
    specification towards end-to-end security in a fashion that
    should make it easier to gain IESG approval.  OTOH,
    REQUIRING transport mode would make it considerably more
    difficult to use external security gateways to provide the
    mandatory to implement iSCSI security, which seems to be of
    interest to a significant portion of the WG.  On the third
    hand, as was made clear at the IESG Open Plenary in London,
    the IESG has little sympathy for a desire to use external
    security gateways when the result leads to standardization
    of other than the "best security available" (see Section 6 of
    draft-ietf-saag-whyenc-00.txt).  On the fourth hand, there
    may be ways to specify/recommend/require usage of IKE
    authentication in a fashion that creates a bias towards
    end-to-end security of similar strength to requiring transport
    mode.
    
    And that's about where things stand.  I apologize for being
    unable to provide clearer guidance, but the situation is what
    it is.  From a purely specification and process viewpoint,
    REQUIRING transport mode will hasten completion of the iSCSI
    spec and its approval by the IESG, but process should not
    take precedence over making the proverbial "right" or "best"
    technical and engineering decisions.
    
    Please do not quote this entire message when responding.
    
    Thanks,
    --David
    
    ---------------------------------------------------
    David L. Black, Senior Technologist
    EMC Corporation, 42 South St., Hopkinton, MA  01748
    +1 (508) 435-1000 x75140     FAX: +1 (508) 497-8500
    black_david@emc.com       Mobile: +1 (978) 394-7754
    ---------------------------------------------------
    
    


Home

Last updated: Sat Sep 08 09:17:14 2001
6470 messages in chronological order