All,
Following are the DRAFT IPS meeting minutes from IETF-52
Please send clarifications/additions/corrections, etc to the
list, David and I, no later than Jan 3.
Thanks,
Elizabeth & David
IETF IPS Meeting Minutes
December 10, 2001
Reference section in all documents must be split into two
sections – normative and non-normative.
Interim meeting in Feb. Announcement on IPS mailing list
& IETF announce. Need RSVPs.
Information at www.ietf.org/IESG/IPS-Interim.txt
-- FC Encapsulation draft (Ralph Weber)
Basically done.
SOFc4 will be going in, other minor (editorial) fixes.
Rev 5 will be candidate for last call.
Last call will be in conjunction with FCIP and/or iFCP
-- Security draft (Bernard Aboba)
Security documetn will go standards track, but all protocol
docs will be self contained.
Protocol documents will govern, in case of any
discrepancies.
Note to this effect will be added to security draft.
Cannot require sequence space extension is in ESPv3, since
will not be available for some time.
NAT traversal language will be non-normative due to IPR
issues
and
problems encountered in testing IPsec NAT traversal.
Dependencies
-
Protocol specs, need SLPv2 security update (2608bis), but may be
able
to finesse needing a normative reference
-
IPsec transforms are in progress.
See
IPsec WG for more, for the AES drafts, MAC is in good shape,
CTR
requires some attention in ipsec WG
-
SRP (RFC 2945)
-
DHCP-ipsec drafts.
Transforms
Currently specified
Must:
3DES-CBC; HMAC-SHA1
Should
NOT: DES
Should:
AES-CTR and CBC-MAC w/ XCBC
Q: (William Dixon) – Why not AES-128CBC instead of
AES-CTR? Much further along;
interoperable implementations are available. Will be
discussed in ipsec wg.
Resolving
issues off of the mailing list.
Demoting
3DES will cause interoperability problems.
Transport vs. Tunnel mode
Specified:
iFCP, FCIP Tunnel mode MUST; transport MAY
iSCSI,
under discussion.
Summary
of pros/cons
Transport
mode:
Pros:
End to end security, Lower overhead, Larger MTU,
Negotiation of connection specific selectors is common practice
Cons:
Requires ipsec to be implemented on the IPS entities
Greater difficulties with NAT traversal
Tunnel
mode:
Pros:
More compatible with existing VPN gateways,
Don’t have to implement ipsec on IPS entity
Easier to traverse NATs
Cons:
More overhead, Smaller MTU
Tunnel
problems - connection-specific selectors and dynamically assigned
addresses
(problem is use of mode config which is non-standard -
standards
track documents exist, but not clear whether they will
be
widely implemented).
Tunnel
mode + connection-specific selectors are very difficult to do.
Many
gateways do not do connection-specific selectors well.
Need
to look at these issues in more detail. Implementors please look
into
the security gateways you're planning to use.
IKE identifiers
Both
Main and Aggressive are MUST, Aggressive mode is there to deal
with
dynamic
addresses.
Open
issues in use of specific ID types.
Policy Distribution
-
Constraining IKE is a good first step.
-
Security policy gets tricky when
-
Not all nodes in an iSCSI network support security
-
IKE times out when trying to reach a non-IPsec entity
(e.g.,
60 sec). Initiator needs to know whether to
try
IPsec or not to avoid this.
Responder-controlled
security [TCP SYN in clear, target sets up
an
SA if it supports IPsec] is an alternative. Currently
a
MUST NOT to avoid denial of service issues because TCP
SYN
causes IKE work (much worse than TCP SYN flood case).
This
limits need for security policy to target.
Doesn't
work well for target initiating IKE to initiator behind
a
firewall or NAT.
May
use iSNS security policy distribution.
Existing
IPsec policy distribution mechanisms have been problematic.
iSNS
could be better.
Certificates
SHOULD:
use IKE certificates
SHOULD:
check certificate revocation list
MAY:
use certificates to determine authorization
Easiest
enrollment solution is to have HBAs get/use host certs.
Long
cert chains cause IP fragmentation in IKE, which can cause problems.
Allow
any IKE certificate - use these for identity only, avoid adding
new
OIDs to do iSCSI authorization.
General,
but inconclusive transport vs. tunnel mode discussion.
Pros
and Cons for making each the MUST implement brought up.
Neither
mode will be prohibited. Can make both MUST, but decision has not been
made.
John
Hufferd asks about transport vs. tunnel mode resolution
Needs
to go to mailing list
David
Black will write something up.
-- iFCP (Charles Monia)
- iFCP N_Port address definition
Currently
IP address of gateway + N port ID behind it. Issue with NAPTs.
As
of -08, adding TCP port to IP address (gateway address is the pair).
No
iSNS change required.
- FC Broadcast
FC
Broadcast is best-effort, IPFC and FC-VI use this to do discovery.
Not
performance-critical. Currently uses UDP/IP, may not be as reliable
as
FC broadcast over fabric, and relying on IP fragmentation may be a big
problem.
Changing to a server-based TCP implementation of broadcast -
send
broadcast frame to broadcast server who then sends it to all gateways.
Use
0xFF-FF-FF well known address as port ID for all of the iFCP entities
involved
in this. Discovery based on iSNS - need iSNS changes for this.
Need
to look at issue of two broadcast servers in the same domain.
- Stale Frame detection
Currently
optional. Will change to MUST implement and MUST use.
-- iFCP MIB (Charles Monia)
Minor changes, cleanup from review by Keith. Fairly
stable, close to done.
-- iSNS (Josh Tseng)
- Change to support iFCP transparent mode.
- Security Issues. Use IPsec to protect iSNS messages.
MUST
implement IPsec w/ESP in tunnel mode for iFCP and appropriate mode for
iSCSI.
Use
unicast for query and response message
Use
multicast for iSNS heartbeat used to discover iSNS server
iFCP
gateways and iSCSI devices using iSNS SHOULD authenticate to the iSNS server.
- Use of iSNS to distribute security policy
This
is about centralization of security administration.
Security
bitmap to hold things not already negotiated by ISAKMP.
Parameters
to be stored and distributed by iSNS - Use/non-use of:
IPsec,
IKE, Main Mode, Aggressive Mode, Perfect forward secrecy,
preshared
key, tunnel & transport mode.
Need
to review this for what's necessary - work with security draft
authors
(e.g., Bernard Aboba).
- DHCP option - make absolutely sure that a new one is
needed before asking for
one.
DHCP name server option may not be appropriate (RFC 2937).
-- iSNS MIB
No serious content changes - minor cleanups (similar to iFCP
MIB), stable, close
to
done.
-- FCIP (Ralph Weber)
At -07 draft. Major open issue is WWN short frame
security. A few other
minor changes will be made (e.g., add SOF and EOF for class
4 FC service).
WWN Short Frame Security
- Prior to Irvine, FCIP endpoint was
IP address. NAT/NAPT support makes this
problematic.
Sending WWN across as identity.
Discussion of how to go about solving this problem - authors
would like to
do
this as part of FC-BB-2 rather than FCIP. IETF IPS oversight/check
of
this will be necessary. FC-BB-2 - specific solution seems to
be
preferred to a generic FC solution. Expect to see proposal on list
soon,
discussion at FC-BB-2 in Feb. and IPS interim that week.
-- FCIP SLP
No known issues aside from coordination with security draft
updates. Will
revise to match those and be ready for WG Last Call.
FCIP-SLP draft tracks
security draft which tracks 2608bis.
-- SCSI, FC Mgmt, and FCIP MIBs (Keith McCloghrie)
FC Mgmt MIB has been transferred to IPS from IPFC.
Keith is rearchitecting
(e.g.,
consistency with IF and Entity MIBs, remove non-FC objects),
expect
first ietf-ips-fcmgmt-mib draft soon.
SCSI MIB - design team nearing completion of UML
model. Internet-Draft will
be
forthcoming shortly. T10 working session on SCSI MIB on Monday,
Jan
14 in Houston. Details available at
www.t10.org/meeting.htm.
FCIP MIB - There are a bunch of work items - NAT, BB-2
changes, dependent on
rework
of FC Mgmt MIB.
Yaron:
SCSI and iSCSI MIBs use "instance" abstraction so that one
MIB
can represent multiple entities, FCIP should do likewise.
Security
- SNMPv3 has security. Get security boilerplate from IETF
OPS
MIB site, and expand on it to add specific information about
risks
involved in specific writable elements. DO NOT say "MUST
use
SNMPv3".
Next
draft will be coming in January.
End discussion of transport/tunnel mode and related issues.
Dynamic
address support for tunnel mode is an interoperability issue that
weighs
against use of tunnel mode.
---------- Tuesday Dec 11---------
-- Agenda rebashing
Framing requirements agenda item pulled due to Transport AD/tsvwg
issue. Resolution
will be posted to the list, soon, we hope.
-- SRP IPR requirements (David Black)
Note
Well statement displayed.
Key
points –
If
know about IP, need to disclose. Further, if you should know about IP,
need
to disclose (e.g. Company cannot keep you in the dark in order to
avoid
disclosure). But, no patent search is required (e.g. if no way you
should
know, don't need to go out of your way to find out if there are claims).
Should
company own IP directly material to standard, IETF will ask Company to publish
statement,
and
request fair, reasonable and non-discriminatory terms for licensing of
IP.
Company
is not obligated to comply.
IETF
does not judge fairness
Claims
(rumors) against SRP
1) Stanford.
Royalty free license available.
2) Lucent.
May have IP that may be essential.
If
essential, will be licensed under standard Lucent IP licensing practices.
3) Speke
patent. No statement. May be owned by Phoenix Technologies.
MUST/SHOULD/MAY
requirements discussion for SRP at February interim meeting.
Closing warning from AD and WG chair about results of Dell
and Rambus situations
in
which hiding patents resulted in patents being unenforceable (FTC consent
decree
for Dell, actual court decisions in Rambus).
-- UNH Plugfest report (Yamini Shastry)
Held Oct 28 - Nov 3
Based on -08 draft
15 participated. 4 initiators, 1 initiator, 9 both
initiator & target. 1 neither initiator/target.
Reserved bits test did not match with "MUST be zero on
transmit/MUST be ignored
on
receive"
Summary of changes made to draft as a result of plugfest -
most are minor, see
slides.
OOO issue is number 5 on this list - will come up in main iSCSI
section.
Areas not tested include
-
digests
-
multiple connections/session
-
discovery sessions
-
unsolicited and/or immediate data
-
command windows greater than 1
-
Security
-
No implementations of markers
-
No real error recovery
-
No serious parameter negotiation beyond defaults
Next plugfest [Feb 11-15] will look at these areas.
Based on -09 draft.
Information from www.iol.unh.edu or from Yamini at
yshastry@iol.unh.edu.
New scripts will be available 2 weeks prior to plugfest.
Request for minimum conformance of participate products
made.
Markers - determining whether they're in/out has to wait for
resolution of
status
of tsvwg ULP Framing draft.
-- iSCSI (Julian Satran)
Open issues
-
Security (tunnel vs. transport, and transforms)
-
Framing (tsvwg status)?
-
Constant overhead word stuffing (version of Constant Overhead Byte
Stuffing)
as a possible alternative
-
Abort Task Set/Clear Task Set
-
OOO PDU handling
-
Serious issue: are NOPs allowed in a discovery session.
* Abort and Clear Task set
-
Remove ordering discussion for Clear Task Set
-
Abort Task Set currently requires a SCSI response for every
aborted
command. Alternate - hold Abort Task Set response
until
all outstanding responses are ACKed by the initiator.
Avoids
any need to create "fake" SCSI responses, significantly
reduces
burden on Initiator. This is slower, but much simpler.
Most
of section 9.4 will vanish.
Sense of the room - follow this approach, modulo working out
details
on
the list.
* Out of Order Operation
-
This is a within-connection issue. No ordering requirements across
connections.
-
Within-connection issue turned up on list in context of allowing a
DMA
engine to reorder commands at its convenience. Could use
multiple
connections to do this.
Eddy Q: DMA flow-through to wire is a plausible adapter
design that increases
the
desireability of doing ordering.
Mallikarjun: Unsolicited non-immediate data provides
additional ordering
flexibility.
Sense of the room - this is the right approach.
* NOP in Discovery Sessions
Underlying problem is whether to keep discovery session
around for
detection/notification
of configuration changes.
Mark Bakke: Want to know when new targets become
available. Multiple ways
to
do this. Discovery session is an in-band way of doing this, allows
an
async message to be sent to do this (won't need to poll). Wants
both
NOPs and async messages on on discovery session to keep it alive
long-term.
Resolution - N&D team to generate text describing
applicability and use of
the
various mechanisms, along with requirements on implementations to
yield
interoperability. Will ship to list and use that to drive closure
on
need for long-lived discovery sessions which in turn will drive
closure
of NOP issues.
* Framing
Word-stuffing
version of COBS is an alternative to markers. Has to touch
every
byte of message. CRC and ESP also have to, so this might be
a
good alternative when those techniques are in use.
COBS/COWS
is the same class of mechanism as markers, similar considerations.
Comment
that something is needed that doesn't require TCP modifications
-
that would be either markers or COBS/COWS. Hardware targets talking
to
software initiators is the scenario of interest.
Comment
that TCP modification for framing is acceptable, hence no
need
for COBS/COWS or markers.
Discussion
is not conclusive - Need to get tsvwg ULP issue resolved, write
COBS/COWS
up in detail (sense of room is no serious objection to doing
so),
and take this up on list, resolve at Feb. interim.
The -10 version will appear sufficiently prior to interim
meeting.
-- iSCSI Boot draft
iSCSI usage of DHCP option is fine. Will go into next
draft.
(DHC WG consulted, no need for DHC draft).
-- iSCSI Naming and Discovery
Will
be informational.
IQN
format will use date codes
New
ISID format
New
username and Initiator name usage guidelines
Stringprep
approach to character normalization
ISID format change - ISID will contain vendor ID. Will
now be 48 bits, use
IEEE
OUI or IANA OUI. 02 should be "Local Usage" rather than
"Random".
Note
that this can be coped with at install time.
3 forms now acceptable
1) IEEE OUI
2) IANA Enterprise Number
3) Vendor unique -- locally unique; not globally unique.
Recommendation: Double size to 128, so that you can have a
WW unique value
Response: Not needed -- ISID is relative to iSCSI node
name, which is WW unique.
Three people support embedding the MAC into the ISID.
Will take this to the
list.
John Hufferd: Embedding the MAC in this ISID binds the
session to a single HBA.
Conservative Reuse description. Reuse ISIDs across all
targets. Needed to
deal
with T10 changes in progress to persistent reservations.
-- Stringprep (Mark Bakke)
IDN is close to done on the stringprep/nameprep
drafts. This draft is about how
to
use this for iSCSI names.
Q: What about unassigned codepoints.
A: Whatever underlying stringprep draft does.
Sense of room: adopted as WG draft.
-- SLP for iSCSI
Document is stable, unicast SLP usage is ok.
Will coordinate security w/IPS Security draft.
Will work with SLP authors on suitable notification support.
-- iSCSI MIB status (Mark Bakke)
Fitting into family of MIBs below SCSI MIB that is being
developed -
FCP
MIB may be developed, no plans for parallel SCSI MIB. Details
of
how these fit together being worked out in SCSI MIB team.
Will be looking at how to add usernames/cert identities to
access control
area
of iSCSI MIB w/o large complexity.
-- iSNS for iSSI status (Josh Tseng)
See iSNS session on Monday. New informational material
on how iSNS can
be
used to map iSCSI and FC devices in a hybrid installation.
Final comments
- Request to look at applying ISID-like structure to portal
group tags
for
consistency and autoconfiguration reasons.