SORT BY:

LIST ORDER
THREAD
AUTHOR
SUBJECT


SEARCH

IPS HOME


    [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

    IPS-ALL: Draft IPS Meeting minutes from IETF-52



    All,

     

    Following are the DRAFT IPS meeting minutes from IETF-52

    Please send clarifications/additions/corrections, etc to the list, David and I, no later than Jan 3.

     

    Thanks,

     

    Elizabeth & David

     

    IETF IPS Meeting Minutes

     

    December 10, 2001

     

    Reference section in all documents must be split into two sections – normative and non-normative.

     

    Interim meeting in Feb. Announcement on IPS mailing list & IETF announce. Need RSVPs.

    Information at www.ietf.org/IESG/IPS-Interim.txt

     

    -- FC Encapsulation draft (Ralph Weber)

     

    Basically done.

    SOFc4 will be going in, other minor (editorial) fixes. 

    Rev 5 will be candidate for last call.

    Last call will be in conjunction with FCIP and/or iFCP

     

    -- Security draft (Bernard Aboba)

     

    Security documetn will go standards track, but all protocol docs will be self contained.

    Protocol documents will govern, in case of any discrepancies.

    Note to this effect will be added to security draft.

     

    Cannot require sequence space extension is in ESPv3, since will not be available for some time.

     

    NAT traversal language will be non-normative due to IPR issues

                and problems encountered in testing IPsec NAT traversal.

     

    Dependencies

                - Protocol specs, need SLPv2 security update (2608bis), but may be

                            able to finesse needing a normative reference

                - IPsec transforms are in progress.

                            See IPsec WG for more, for the AES drafts, MAC is in good shape,

                            CTR requires some attention in ipsec WG

                - SRP (RFC 2945)

                - DHCP-ipsec drafts.

     

    Transforms

    Currently specified

                Must: 3DES-CBC; HMAC-SHA1

                Should NOT: DES

                Should: AES-CTR and CBC-MAC w/ XCBC

     

    Q: (William Dixon) – Why not AES-128CBC instead of AES-CTR?  Much further along;

    interoperable implementations are available.  Will be discussed in ipsec wg. 

     

                Resolving issues off of the mailing list.

                Demoting 3DES will cause interoperability problems.

     

    Transport vs. Tunnel mode

     

                Specified: iFCP, FCIP Tunnel mode MUST; transport MAY

     

                iSCSI, under discussion.

                Summary of pros/cons

     

                Transport mode:

                            Pros: End to end security, Lower overhead, Larger MTU,

                                  Negotiation of connection specific selectors is common practice

                            Cons: Requires ipsec to be implemented on the IPS entities

                                  Greater difficulties with NAT traversal

     

                Tunnel mode:

     

                Pros: More compatible with existing VPN gateways,

                      Don’t have to implement ipsec on IPS entity

                      Easier to traverse NATs

     

                Cons: More overhead, Smaller MTU

     

                Tunnel problems - connection-specific selectors and dynamically assigned

                            addresses (problem is use of mode config which is non-standard -

                            standards track documents exist, but not clear whether they will

                            be widely implemented).

     

                Tunnel mode + connection-specific selectors are very difficult to do.

                Many gateways do not do connection-specific selectors well.

     

                Need to look at these issues in more detail.  Implementors please look

                            into the security gateways you're planning to use.

     

     

    IKE identifiers

                Both Main and Aggressive are MUST, Aggressive mode is there to deal with

                            dynamic addresses.

                Open issues in use of specific ID types.

     

    Policy Distribution

                - Constraining IKE is a good first step.

                - Security policy gets tricky when

                            - Not all nodes in an iSCSI network support security

                            - IKE times out when trying to reach a non-IPsec entity

                                        (e.g., 60 sec).  Initiator needs to know whether to

                                        try IPsec or not to avoid this.

                Responder-controlled security [TCP SYN in clear, target sets up

                            an SA if it supports IPsec] is an alternative.  Currently

                            a MUST NOT to avoid denial of service issues because TCP

                            SYN causes IKE work (much worse than TCP SYN flood case).

                            This limits need for security policy to target.

                Doesn't work well for target initiating IKE to initiator behind

                            a firewall or NAT.

                May use iSNS security policy distribution.

                Existing IPsec policy distribution mechanisms have been problematic.

                            iSNS could be better.

     

    Certificates

                SHOULD: use IKE certificates

                SHOULD: check certificate revocation list

                MAY: use certificates to determine authorization

     

                Easiest enrollment solution is to have HBAs get/use host certs.

                Long cert chains cause IP fragmentation in IKE, which can cause problems.

                Allow any IKE certificate - use these for identity only, avoid adding

                            new OIDs to do iSCSI authorization.

     

                General, but inconclusive transport vs. tunnel mode discussion.

                Pros and Cons for making each the MUST implement brought up.

                Neither mode will be prohibited.  Can make both MUST, but decision has not been made.

               

                John Hufferd asks about transport vs. tunnel mode resolution

                Needs to go to mailing list

                David Black will write something up.

     

     

    -- iFCP (Charles Monia)

     

    - iFCP N_Port address definition

                Currently IP address of gateway + N port ID behind it. Issue with NAPTs.

                As of -08, adding TCP port to IP address (gateway address is the pair). 

                No iSNS change required.

     

    - FC Broadcast

                FC Broadcast is best-effort, IPFC and FC-VI use this to do discovery.

                Not performance-critical.  Currently uses UDP/IP, may not be as reliable

                as FC broadcast over fabric, and relying on IP fragmentation may be a big

                problem.  Changing to a server-based TCP implementation of broadcast -

                send broadcast frame to broadcast server who then sends it to all gateways.

                Use 0xFF-FF-FF well known address as port ID for all of the iFCP entities

                involved in this.  Discovery based on iSNS - need iSNS changes for this.

                Need to look at issue of two broadcast servers in the same domain.

    - Stale Frame detection

                Currently optional.  Will change to MUST implement and MUST use.

     

    -- iFCP MIB (Charles Monia)

     

    Minor changes, cleanup from review by Keith.  Fairly stable, close to done.

     

    -- iSNS (Josh Tseng)

     

    - Change to support iFCP transparent mode.

     

    - Security Issues.  Use IPsec to protect iSNS messages.

                MUST implement IPsec w/ESP in tunnel mode for iFCP and appropriate mode for

                            iSCSI.

                Use unicast for query and response message

                Use multicast for iSNS heartbeat used to discover iSNS server

                iFCP gateways and iSCSI devices using iSNS SHOULD authenticate to the iSNS server.

     

    - Use of iSNS to distribute security policy

                This is about centralization of security administration.

                Security bitmap to hold things not already negotiated by ISAKMP.

                Parameters to be stored and distributed by iSNS - Use/non-use of:

                            IPsec, IKE, Main Mode, Aggressive Mode, Perfect forward secrecy,

                            preshared key, tunnel & transport mode.

                Need to review this for what's necessary - work with security draft

                authors (e.g., Bernard Aboba).

     

    - DHCP option - make absolutely sure that a new one is needed before asking for

                one.  DHCP name server option may not be appropriate (RFC 2937).

     

    -- iSNS MIB

     

    No serious content changes - minor cleanups (similar to iFCP MIB), stable, close

                to done.

     

    -- FCIP (Ralph Weber)

     

    At -07 draft.  Major open issue is WWN short frame security.  A few other

    minor changes will be made (e.g., add SOF and EOF for class 4 FC service).

     

    WWN Short Frame Security

     

    - Prior to Irvine, FCIP endpoint was IP address.  NAT/NAPT support makes this

                problematic.  Sending WWN across as identity.

     

    Discussion of how to go about solving this problem - authors would like to

                do this as part of FC-BB-2 rather than FCIP.  IETF IPS oversight/check

                of this will be necessary.  FC-BB-2 - specific solution seems to

                be preferred to a generic FC solution.  Expect to see proposal on list

                soon, discussion at FC-BB-2 in Feb. and IPS interim that week.

     

    -- FCIP SLP

     

    No known issues aside from coordination with security draft updates.  Will

    revise to match those and be ready for WG Last Call.  FCIP-SLP draft tracks

    security draft which tracks 2608bis.

     

    -- SCSI, FC Mgmt, and FCIP MIBs (Keith McCloghrie)

     

    FC Mgmt MIB has been transferred to IPS from IPFC.  Keith is rearchitecting

                (e.g., consistency with IF and Entity MIBs, remove non-FC objects),

                expect first ietf-ips-fcmgmt-mib draft soon.

     

    SCSI MIB - design team nearing completion of UML model.  Internet-Draft will

                be forthcoming shortly.  T10 working session on SCSI MIB on Monday,

                Jan 14 in Houston. Details available at www.t10.org/meeting.htm.

     

    FCIP MIB - There are a bunch of work items - NAT, BB-2 changes, dependent on

                rework of FC Mgmt MIB.

                Yaron: SCSI and iSCSI MIBs use "instance" abstraction so that one

                            MIB can represent multiple entities, FCIP should do likewise.

     

                Security - SNMPv3 has security.  Get security boilerplate from IETF

                OPS MIB site, and expand on it to add specific information about

                risks involved in specific writable elements.  DO NOT say "MUST

                use SNMPv3".

     

                Next draft will be coming in January.

     

    End discussion of transport/tunnel mode and related issues.

                Dynamic address support for tunnel mode is an interoperability issue that

                weighs against use of tunnel mode.

     

     

    ---------- Tuesday Dec 11---------

     

    -- Agenda rebashing

     

    Framing requirements agenda item pulled due to Transport AD/tsvwg issue.  Resolution

    will be posted to the list, soon, we hope.

     

    -- SRP IPR requirements (David Black)

     

                Note Well statement displayed.

                Key points –

                            If know about IP, need to disclose. Further, if you should know about IP,

                            need to disclose (e.g. Company cannot keep you in the dark in order to

                            avoid disclosure). But, no patent search is required (e.g. if no way you

                            should know, don't need to go out of your way to find out if there are claims).

     

                Should company own IP directly material to standard, IETF will ask Company to publish statement,

                and request fair, reasonable and non-discriminatory terms for licensing of IP. 

                Company is not obligated to comply.

     

                IETF does not judge fairness

     

                Claims (rumors) against SRP

                1)         Stanford.  Royalty free license available.            

                2)         Lucent.  May have IP that may be essential. 

                            If essential, will be licensed under standard Lucent IP licensing practices.

                3)         Speke patent.  No statement. May be owned by Phoenix Technologies.

     

                MUST/SHOULD/MAY requirements discussion for SRP at February interim meeting.

     

    Closing warning from AD and WG chair about results of Dell and Rambus situations

                in which hiding patents resulted in patents being unenforceable (FTC consent

                decree for Dell, actual court decisions in Rambus).

     

    -- UNH Plugfest report (Yamini Shastry)

     

    Held Oct 28 - Nov 3

    Based on -08 draft

    15 participated.  4 initiators, 1 initiator, 9 both initiator & target. 1 neither initiator/target.

     

    Reserved bits test did not match with "MUST be zero on transmit/MUST be ignored

                on receive"

     

    Summary of changes made to draft as a result of plugfest - most are minor, see

                slides.

     

    OOO issue is number 5 on this list - will come up in main iSCSI section.

     

    Areas not tested include

                - digests

                - multiple connections/session

                - discovery sessions

                - unsolicited and/or immediate data

                - command windows greater than 1

                - Security

                - No implementations of markers

                - No real error recovery

                - No serious parameter negotiation beyond defaults

     

    Next plugfest [Feb 11-15] will look at these areas.  Based on -09 draft.

    Information from www.iol.unh.edu or from Yamini at yshastry@iol.unh.edu.

    New scripts will be available 2 weeks prior to plugfest.

    Request for minimum conformance of participate products made.

     

    Markers - determining whether they're in/out has to wait for resolution of

                status of tsvwg ULP Framing draft. 

     

    -- iSCSI (Julian Satran)

     

    Open issues

                - Security (tunnel vs. transport, and transforms)

                - Framing (tsvwg status)?

                            - Constant overhead word stuffing (version of Constant Overhead Byte

                                        Stuffing) as a possible alternative

                - Abort Task Set/Clear Task Set

                - OOO PDU handling

                - Serious issue: are NOPs allowed in a discovery session.

     

    * Abort and Clear Task set

                - Remove ordering discussion for Clear Task Set

                - Abort Task Set currently requires a SCSI response for every

                            aborted command.  Alternate - hold Abort Task Set response

                            until all outstanding responses are ACKed by the initiator.

                            Avoids any need to create "fake" SCSI responses, significantly

                            reduces burden on Initiator.  This is slower, but much simpler.

                            Most of section 9.4 will vanish.

    Sense of the room - follow this approach, modulo working out details

                on the list.

     

    * Out of Order Operation

                - This is a within-connection issue.  No ordering requirements across

                            connections.

                - Within-connection issue turned up on list in context of allowing a

                            DMA engine to reorder commands at its convenience.  Could use

                            multiple connections to do this.

    Eddy Q: DMA flow-through to wire is a plausible adapter design that increases

                the desireability of doing ordering.

    Mallikarjun: Unsolicited non-immediate data provides additional ordering

                flexibility.

    Sense of the room - this is the right approach.

     

    * NOP in Discovery Sessions

     

    Underlying problem is whether to keep discovery session around for

                detection/notification of configuration changes.

     

    Mark Bakke: Want to know when new targets become available.  Multiple ways

                to do this.  Discovery session is an in-band way of doing this, allows

                an async message to be sent to do this (won't need to poll).  Wants

                both NOPs and async messages on on discovery session to keep it alive

                long-term.

     

    Resolution - N&D team to generate text describing applicability and use of

                the various mechanisms, along with requirements on implementations to

                yield interoperability.  Will ship to list and use that to drive closure

                on need for long-lived discovery sessions which in turn will drive

                closure of NOP issues.

     

    * Framing

                Word-stuffing version of COBS is an alternative to markers.  Has to touch

                            every byte of message.  CRC and ESP also have to, so this might be

                            a good alternative when those techniques are in use.

     

                COBS/COWS is the same class of mechanism as markers, similar considerations.

                            Comment that something is needed that doesn't require TCP modifications

                            - that would be either markers or COBS/COWS.  Hardware targets talking

                                        to software initiators is the scenario of interest.

                            Comment that TCP modification for framing is acceptable, hence no

                            need for COBS/COWS or markers.

     

                Discussion is not conclusive - Need to get tsvwg ULP issue resolved, write

                            COBS/COWS up in detail (sense of room is no serious objection to doing

                            so), and take this up on list, resolve at Feb. interim.

     

    The -10 version will appear sufficiently prior to interim meeting. 

     

    -- iSCSI Boot draft

     

    iSCSI usage of DHCP option is fine.  Will go into next draft.

    (DHC WG consulted, no need for DHC draft).

     

    -- iSCSI Naming and Discovery

     

                Will be informational.

                IQN format will use date codes

                New ISID format

                New username and Initiator name usage guidelines

                Stringprep approach to character normalization

     

    ISID format change - ISID will contain vendor ID.  Will now be 48 bits, use

                IEEE OUI or IANA OUI.  02 should be "Local Usage" rather than "Random".

                Note that this can be coped with at install time.

     

    3 forms now acceptable

    1) IEEE OUI

    2) IANA Enterprise Number

    3) Vendor unique -- locally unique; not globally unique.

     

    Recommendation: Double size to 128, so that you can have a WW unique value

     

    Response:  Not needed -- ISID is relative to iSCSI node name, which is WW unique.

     

    Three people support embedding the MAC into the ISID.  Will take this to the

                list. 

     

    John Hufferd: Embedding the MAC in this ISID binds the session to a single HBA.

     

    Conservative Reuse description.  Reuse ISIDs across all targets.  Needed to

                deal with T10 changes in progress to persistent reservations.

     

    -- Stringprep (Mark Bakke)

     

    IDN is close to done on the stringprep/nameprep drafts.  This draft is about how

                to use this for iSCSI names.

     

    Q: What about unassigned codepoints.

    A: Whatever underlying stringprep draft does.

     

    Sense of room: adopted as WG draft.

     

    -- SLP for iSCSI

     

    Document is stable, unicast SLP usage is ok.

    Will coordinate security w/IPS Security draft.

    Will work with SLP authors on suitable notification support.

     

    -- iSCSI MIB status (Mark Bakke)

     

    Fitting into family of MIBs below SCSI MIB that is being developed -

                FCP MIB may be developed, no plans for parallel SCSI MIB.  Details

                of how these fit together being worked out in SCSI MIB team.

     

    Will be looking at how to add usernames/cert identities to access control

                area of iSCSI MIB w/o large complexity.

     

    -- iSNS for iSSI status  (Josh Tseng)

     

    See iSNS session on Monday.  New informational material on how iSNS can

                be used to map iSCSI and FC devices in a hybrid installation.

     

    Final comments

    - Request to look at applying ISID-like structure to portal group tags

                for consistency and autoconfiguration reasons.

     



Home

Last updated: Wed Dec 26 09:18:09 2001
8203 messages in chronological order