RE: iSCSI: IKE normative guidelines

[Black_David@emc.com]

Yes, these guidelines differ from those RFCs in a number of
ways, based on things learned since those RFCs were written.
Many of these are things that would go into revised versions
of the IPsec RFCs, but revising the IPsec RFCs turns out to
be intractable to the point of near-impossibility for the
security folks - you'll have to ask them why.  See the IPS
security draft for some further explanation of these changes.

Main mode is not "at least as good" as aggressive mode when
group pre-shared keys are used; see the security draft and
the ipsec WG "improveike" draft for details.  Group pre-
shared keys are often used in practice because they
greatly simplify key management.

Thanks,
--David

---------------------------------------------------
David L. Black, Senior Technologist
EMC Corporation, 42 South St., Hopkinton, MA  01748
+1 (508) 435-1000 x75140     FAX: +1 (508) 497-8500
black_david@emc.com       Mobile: +1 (978) 394-7754
---------------------------------------------------


> -----Original Message-----
> From: Paul Koning [mailto:ni1d@arrl.net]
> Sent: Friday, November 09, 2001 4:45 PM
> To: BIRAN@il.ibm.com
> Cc: ips@ece.cmu.edu
> Subject: Re: iSCSI: IKE normative guidelines
> 
> 
> >>>>> "Ofer" == Ofer Biran <BIRAN@il.ibm.com> writes:
> 
>  Ofer> In the framework of the effort being done now by the security
>  Ofer> team to sync the normative statements in the security draft
>  Ofer> with the protocol drafts, I suggest to adopt the following IKE
>  Ofer> normative guidelines that already appear in the security draft
>  Ofer> for iSCSI: ...
> 
> Does any of this differ from what's in RFC 2408/2409?  If so, why?  If
> not, why not just refer to that standard and say nothing further?
> 
> If we're going to be different, I'd suggest dropping aggressive mode
> since main mode is at least as good.
> 
>       paul
>