iSCSI: IKE normative guidelines

To: <ips@ece.cmu.edu>
Subject: iSCSI: IKE normative guidelines
From: "Ofer Biran" <BIRAN@il.ibm.com>
Date: Fri, 9 Nov 2001 20:05:54 +0200
Content-type: text/plain; charset=us-ascii
Importance: Normal
Sender: owner-ips@ece.cmu.edu


In the framework of the effort being done now by the security team
to sync the normative statements in the security draft with the
protocol drafts, I suggest to adopt the following IKE normative
guidelines that already appear in the security draft for iSCSI:

==================================================================

"Conformant iSCSI, iFCP and FCIP implementations MUST support peer
authentication using a pre-shared key, and MAY support
certificate-based peer authentication using digital signatures.
Peer authentication using the public key encryption methods outlined
in IKE's sections 5.2 and 5.3[7] SHOULD NOT be used.

...Conformant iSCSI, FCIP and iFCP security implementations MUST support
both IKE Main Mode and Aggressive Mode

...When digital signatures are used to achieve authentication, an IKE
negotiator SHOULD use IKE Certificate Request Payload(s) to specify the
certificate authority

...IKE negotiators SHOULD check the pertinent Certificate Revocation
List (CRL) before accepting a PKI certificate for use in IKE's
authentication procedures"

==================================================================

 Regards,
   Ofer


Ofer Biran
Storage and Systems Technology
IBM Research Lab in Haifa
biran@il.ibm.com  972-4-8296253

Follow-Ups:
- Re: iSCSI: IKE normative guidelines
  - From: Paul Koning <ni1d@arrl.net>

Prev by Date: RE: FCencap: List ALL SOF/EOF codes
Next by Date: RE: iSCSI over TLS
Prev by thread: Re: Querry !
Next by thread: Re: iSCSI: IKE normative guidelines
Index(es):
- Date
- Thread

Home

Last updated: Sun Nov 11 17:17:33 2001
7747 messages in chronological order