RE: FCIP and iFCP Keying Problem

[Sandeep Joshi <sandeepj@research.bell-labs.com>]

About aggressive mode support in IKE..
   See   http://www.vpnc.org/features-chart.html
Most vendors appear to support it.

In addition to the above, KAME(*BSD) and isakmpd support
it as well.  But Win2000 and FreeS/WAN(Linux) do not
support aggressive mode (and FreeS/WAN may never...)
Although perhaps not relevant to FCIP/iFCP, the latter
may have implications on iSCSI end-systems

-Sandeep


> Although the issue of revealing identity is not significant
> (which means Aggressive Mode + pre-shared) keys is okay for
> an FCIP tunnel implementation, the question is whether many
> current IPsec gateways support Aggressive Mode. It only
> carries a "SHOULD implement" mandate in RFC2409.  It would
> appear that the issues of DHCP assigned addresses and its
> usability in conjunction with Main Mode + pre-shared keys
> would be more severe in l2tp/vpn solutions, and this would
> force gateways to implement Aggressive Mode; but can we
> depend on its availability.
>
> As Franco states for iFCP, it is not clear that FCIP endpoint
> addresses will be handed out using DHCP.  In fact, some of
> this will be made available using SLPv2 DAs and SAs, so they
> are fairly static. (This opens up the issue of SLPv2 itself
> having to be performed after IKE Phase-1 is done.)
>
>      Would the problem be less severe if the FCIP Endpoint WWN
> is sent as IKE payload in conjunction with Main-mode+pre-shared key?
>
>      Is it also not the case that Aggressive Mode with public
> key encryption still prevents identities being revealed?
>
>      Venkat Rangan
>      Rhapsody Networks Inc.
>      http://www.rhapsodynetworks.com
>