IPS-ALL: Draft IPS Meeting minutes from IETF-52

All,

Following are the DRAFT IPS meeting minutes from IETF-52

Please send clarifications/additions/corrections, etc to the list, David and I, no later than Jan 3.

Thanks,

Elizabeth & David

IETF IPS Meeting Minutes

December 10, 2001

Reference section in all documents must be split into two sections – normative and non-normative.

Interim meeting in Feb. Announcement on IPS mailing list & IETF announce. Need RSVPs.

Information at www.ietf.org/IESG/IPS-Interim.txt

-- FC Encapsulation draft (Ralph Weber)

Basically done.

SOFc4 will be going in, other minor (editorial) fixes.

Rev 5 will be candidate for last call.

Last call will be in conjunction with FCIP and/or iFCP

-- Security draft (Bernard Aboba)

Security documetn will go standards track, but all protocol docs will be self contained.

Protocol documents will govern, in case of any discrepancies.

Note to this effect will be added to security draft.

Cannot require sequence space extension is in ESPv3, since will not be available for some time.

NAT traversal language will be non-normative due to IPR issues

and problems encountered in testing IPsec NAT traversal.

Dependencies

- Protocol specs, need SLPv2 security update (2608bis), but may be

able to finesse needing a normative reference

- IPsec transforms are in progress.

See IPsec WG for more, for the AES drafts, MAC is in good shape,

CTR requires some attention in ipsec WG

- SRP (RFC 2945)

- DHCP-ipsec drafts.

Transforms

Currently specified

Must: 3DES-CBC; HMAC-SHA1

Should NOT: DES

Should: AES-CTR and CBC-MAC w/ XCBC

Q: (William Dixon) – Why not AES-128CBC instead of AES-CTR? Much further along;

interoperable implementations are available. Will be discussed in ipsec wg.

Resolving issues off of the mailing list.

Demoting 3DES will cause interoperability problems.

Transport vs. Tunnel mode

Specified: iFCP, FCIP Tunnel mode MUST; transport MAY

iSCSI, under discussion.

Summary of pros/cons

Transport mode:

Pros: End to end security, Lower overhead, Larger MTU,

Negotiation of connection specific selectors is common practice

Cons: Requires ipsec to be implemented on the IPS entities

Greater difficulties with NAT traversal

Tunnel mode:

Pros: More compatible with existing VPN gateways,

Don’t have to implement ipsec on IPS entity

Easier to traverse NATs

Cons: More overhead, Smaller MTU

Tunnel problems - connection-specific selectors and dynamically assigned

addresses (problem is use of mode config which is non-standard -

standards track documents exist, but not clear whether they will

be widely implemented).

Tunnel mode + connection-specific selectors are very difficult to do.

Many gateways do not do connection-specific selectors well.

Need to look at these issues in more detail. Implementors please look

into the security gateways you're planning to use.

IKE identifiers

Both Main and Aggressive are MUST, Aggressive mode is there to deal with

dynamic addresses.

Open issues in use of specific ID types.

Policy Distribution

- Constraining IKE is a good first step.

- Security policy gets tricky when

- Not all nodes in an iSCSI network support security

- IKE times out when trying to reach a non-IPsec entity

(e.g., 60 sec). Initiator needs to know whether to

try IPsec or not to avoid this.

Responder-controlled security [TCP SYN in clear, target sets up

an SA if it supports IPsec] is an alternative. Currently

a MUST NOT to avoid denial of service issues because TCP

SYN causes IKE work (much worse than TCP SYN flood case).

This limits need for security policy to target.

Doesn't work well for target initiating IKE to initiator behind

a firewall or NAT.

May use iSNS security policy distribution.

Existing IPsec policy distribution mechanisms have been problematic.

iSNS could be better.

Certificates

SHOULD: use IKE certificates

SHOULD: check certificate revocation list

MAY: use certificates to determine authorization

Easiest enrollment solution is to have HBAs get/use host certs.

Long cert chains cause IP fragmentation in IKE, which can cause problems.

Allow any IKE certificate - use these for identity only, avoid adding

new OIDs to do iSCSI authorization.

General, but inconclusive transport vs. tunnel mode discussion.

Pros and Cons for making each the MUST implement brought up.

Neither mode will be prohibited. Can make both MUST, but decision has not been made.

John Hufferd asks about transport vs. tunnel mode resolution

Needs to go to mailing list

David Black will write something up.

-- iFCP (Charles Monia)

- iFCP N_Port address definition

Currently IP address of gateway + N port ID behind it. Issue with NAPTs.

As of -08, adding TCP port to IP address (gateway address is the pair).

No iSNS change required.

- FC Broadcast

FC Broadcast is best-effort, IPFC and FC-VI use this to do discovery.

Not performance-critical. Currently uses UDP/IP, may not be as reliable

as FC broadcast over fabric, and relying on IP fragmentation may be a big

problem. Changing to a server-based TCP implementation of broadcast -

send broadcast frame to broadcast server who then sends it to all gateways.

Use 0xFF-FF-FF well known address as port ID for all of the iFCP entities

involved in this. Discovery based on iSNS - need iSNS changes for this.

Need to look at issue of two broadcast servers in the same domain.

- Stale Frame detection

Currently optional. Will change to MUST implement and MUST use.

-- iFCP MIB (Charles Monia)

Minor changes, cleanup from review by Keith. Fairly stable, close to done.

-- iSNS (Josh Tseng)

- Change to support iFCP transparent mode.

- Security Issues. Use IPsec to protect iSNS messages.

MUST implement IPsec w/ESP in tunnel mode for iFCP and appropriate mode for

iSCSI.

Use unicast for query and response message

Use multicast for iSNS heartbeat used to discover iSNS server

iFCP gateways and iSCSI devices using iSNS SHOULD authenticate to the iSNS server.

- Use of iSNS to distribute security policy

This is about centralization of security administration.

Security bitmap to hold things not already negotiated by ISAKMP.

Parameters to be stored and distributed by iSNS - Use/non-use of:

IPsec, IKE, Main Mode, Aggressive Mode, Perfect forward secrecy,

preshared key, tunnel & transport mode.

Need to review this for what's necessary - work with security draft

authors (e.g., Bernard Aboba).

- DHCP option - make absolutely sure that a new one is needed before asking for

one. DHCP name server option may not be appropriate (RFC 2937).

-- iSNS MIB

No serious content changes - minor cleanups (similar to iFCP MIB), stable, close

to done.

-- FCIP (Ralph Weber)

At -07 draft. Major open issue is WWN short frame security. A few other

minor changes will be made (e.g., add SOF and EOF for class 4 FC service).

WWN Short Frame Security

- Prior to Irvine, FCIP endpoint was IP address. NAT/NAPT support makes this

problematic. Sending WWN across as identity.

Discussion of how to go about solving this problem - authors would like to

do this as part of FC-BB-2 rather than FCIP. IETF IPS oversight/check

of this will be necessary. FC-BB-2 - specific solution seems to

be preferred to a generic FC solution. Expect to see proposal on list

soon, discussion at FC-BB-2 in Feb. and IPS interim that week.

-- FCIP SLP

No known issues aside from coordination with security draft updates. Will

revise to match those and be ready for WG Last Call. FCIP-SLP draft tracks

security draft which tracks 2608bis.

-- SCSI, FC Mgmt, and FCIP MIBs (Keith McCloghrie)

FC Mgmt MIB has been transferred to IPS from IPFC. Keith is rearchitecting

(e.g., consistency with IF and Entity MIBs, remove non-FC objects),

expect first ietf-ips-fcmgmt-mib draft soon.

SCSI MIB - design team nearing completion of UML model. Internet-Draft will

be forthcoming shortly. T10 working session on SCSI MIB on Monday,

Jan 14 in Houston. Details available at www.t10.org/meeting.htm.

FCIP MIB - There are a bunch of work items - NAT, BB-2 changes, dependent on

rework of FC Mgmt MIB.

Yaron: SCSI and iSCSI MIBs use "instance" abstraction so that one

MIB can represent multiple entities, FCIP should do likewise.

Security - SNMPv3 has security. Get security boilerplate from IETF

OPS MIB site, and expand on it to add specific information about

risks involved in specific writable elements. DO NOT say "MUST

use SNMPv3".

Next draft will be coming in January.

End discussion of transport/tunnel mode and related issues.

Dynamic address support for tunnel mode is an interoperability issue that

weighs against use of tunnel mode.

---------- Tuesday Dec 11---------

-- Agenda rebashing

Framing requirements agenda item pulled due to Transport AD/tsvwg issue. Resolution

will be posted to the list, soon, we hope.

-- SRP IPR requirements (David Black)

Note Well statement displayed.

Key points –

If know about IP, need to disclose. Further, if you should know about IP,

need to disclose (e.g. Company cannot keep you in the dark in order to

avoid disclosure). But, no patent search is required (e.g. if no way you

should know, don't need to go out of your way to find out if there are claims).

Should company own IP directly material to standard, IETF will ask Company to publish statement,

and request fair, reasonable and non-discriminatory terms for licensing of IP.

Company is not obligated to comply.

IETF does not judge fairness

Claims (rumors) against SRP

1) Stanford. Royalty free license available.

2) Lucent. May have IP that may be essential.

If essential, will be licensed under standard Lucent IP licensing practices.

3) Speke patent. No statement. May be owned by Phoenix Technologies.

MUST/SHOULD/MAY requirements discussion for SRP at February interim meeting.

Closing warning from AD and WG chair about results of Dell and Rambus situations

in which hiding patents resulted in patents being unenforceable (FTC consent

decree for Dell, actual court decisions in Rambus).

-- UNH Plugfest report (Yamini Shastry)

Held Oct 28 - Nov 3

Based on -08 draft

15 participated. 4 initiators, 1 initiator, 9 both initiator & target. 1 neither initiator/target.

Reserved bits test did not match with "MUST be zero on transmit/MUST be ignored

on receive"

Summary of changes made to draft as a result of plugfest - most are minor, see

slides.

OOO issue is number 5 on this list - will come up in main iSCSI section.

Areas not tested include

- digests

- multiple connections/session

- discovery sessions

- unsolicited and/or immediate data

- command windows greater than 1

- Security

- No implementations of markers

- No real error recovery

- No serious parameter negotiation beyond defaults

Next plugfest [Feb 11-15] will look at these areas. Based on -09 draft.

Information from www.iol.unh.edu or from Yamini at yshastry@iol.unh.edu.

New scripts will be available 2 weeks prior to plugfest.

Request for minimum conformance of participate products made.

Markers - determining whether they're in/out has to wait for resolution of

status of tsvwg ULP Framing draft.

-- iSCSI (Julian Satran)

Open issues

- Security (tunnel vs. transport, and transforms)

- Framing (tsvwg status)?

- Constant overhead word stuffing (version of Constant Overhead Byte

Stuffing) as a possible alternative

- Abort Task Set/Clear Task Set

- OOO PDU handling

- Serious issue: are NOPs allowed in a discovery session.

* Abort and Clear Task set

- Remove ordering discussion for Clear Task Set

- Abort Task Set currently requires a SCSI response for every

aborted command. Alternate - hold Abort Task Set response

until all outstanding responses are ACKed by the initiator.

Avoids any need to create "fake" SCSI responses, significantly

reduces burden on Initiator. This is slower, but much simpler.

Most of section 9.4 will vanish.

Sense of the room - follow this approach, modulo working out details

on the list.

* Out of Order Operation

- This is a within-connection issue. No ordering requirements across

connections.

- Within-connection issue turned up on list in context of allowing a

DMA engine to reorder commands at its convenience. Could use

multiple connections to do this.

Eddy Q: DMA flow-through to wire is a plausible adapter design that increases

the desireability of doing ordering.

Mallikarjun: Unsolicited non-immediate data provides additional ordering

flexibility.

Sense of the room - this is the right approach.

* NOP in Discovery Sessions

Underlying problem is whether to keep discovery session around for

detection/notification of configuration changes.

Mark Bakke: Want to know when new targets become available. Multiple ways

to do this. Discovery session is an in-band way of doing this, allows

an async message to be sent to do this (won't need to poll). Wants

both NOPs and async messages on on discovery session to keep it alive

long-term.

Resolution - N&D team to generate text describing applicability and use of

the various mechanisms, along with requirements on implementations to

yield interoperability. Will ship to list and use that to drive closure

on need for long-lived discovery sessions which in turn will drive

closure of NOP issues.

* Framing

Word-stuffing version of COBS is an alternative to markers. Has to touch

every byte of message. CRC and ESP also have to, so this might be

a good alternative when those techniques are in use.

COBS/COWS is the same class of mechanism as markers, similar considerations.

Comment that something is needed that doesn't require TCP modifications

- that would be either markers or COBS/COWS. Hardware targets talking

to software initiators is the scenario of interest.

Comment that TCP modification for framing is acceptable, hence no

need for COBS/COWS or markers.

Discussion is not conclusive - Need to get tsvwg ULP issue resolved, write

COBS/COWS up in detail (sense of room is no serious objection to doing

so), and take this up on list, resolve at Feb. interim.

The -10 version will appear sufficiently prior to interim meeting.

-- iSCSI Boot draft

iSCSI usage of DHCP option is fine. Will go into next draft.

(DHC WG consulted, no need for DHC draft).

-- iSCSI Naming and Discovery

Will be informational.

IQN format will use date codes

New ISID format

New username and Initiator name usage guidelines

Stringprep approach to character normalization

ISID format change - ISID will contain vendor ID. Will now be 48 bits, use

IEEE OUI or IANA OUI. 02 should be "Local Usage" rather than "Random".

Note that this can be coped with at install time.

3 forms now acceptable

1) IEEE OUI

2) IANA Enterprise Number

3) Vendor unique -- locally unique; not globally unique.

Recommendation: Double size to 128, so that you can have a WW unique value

Response: Not needed -- ISID is relative to iSCSI node name, which is WW unique.

Three people support embedding the MAC into the ISID. Will take this to the

list.

John Hufferd: Embedding the MAC in this ISID binds the session to a single HBA.

Conservative Reuse description. Reuse ISIDs across all targets. Needed to

deal with T10 changes in progress to persistent reservations.

-- Stringprep (Mark Bakke)

IDN is close to done on the stringprep/nameprep drafts. This draft is about how

to use this for iSCSI names.

Q: What about unassigned codepoints.

A: Whatever underlying stringprep draft does.

Sense of room: adopted as WG draft.

-- SLP for iSCSI

Document is stable, unicast SLP usage is ok.

Will coordinate security w/IPS Security draft.

Will work with SLP authors on suitable notification support.

-- iSCSI MIB status (Mark Bakke)

Fitting into family of MIBs below SCSI MIB that is being developed -

FCP MIB may be developed, no plans for parallel SCSI MIB. Details

of how these fit together being worked out in SCSI MIB team.

Will be looking at how to add usernames/cert identities to access control

area of iSCSI MIB w/o large complexity.

-- iSNS for iSSI status (Josh Tseng)

See iSNS session on Monday. New informational material on how iSNS can

be used to map iSCSI and FC devices in a hybrid installation.

Final comments

- Request to look at applying ISID-like structure to portal group tags

for consistency and autoconfiguration reasons.