|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] FW: Notes from IPS meetingHere are the minutes from the IPS meeting last week. Please review and let David and/or I know of any comments/corrections/issues by 5pm EST on Tuesday April 1. Thanks, Elizabeth Rodriguez ---- IPS Working Group - Tuesday, March 18, 2003 Status of Drafts - Per the IETF ID Tracker, located at https://datatracker.ietf.org/public/pidtracker.cgi Most thru working group last call. A few approved for publication. Status: Publication Requested (these are standards track documents which have just recently been forwarded to the ADs for initial review) Auth MIB FC Mgmt MIB iFCP MIB iSCSI MIB Status: AD Evaluation FCIP SLP (has completed expert review. Same expert review applies to iSCSI SLP) iSCSI SLP Stringprep iSNS Status: IESG Evaluation/AD Followup Naming and discovery - Back to ADs for review after revisions made in response to IESG feedback Status: IESG Evaluation/Revised ID needed Boot draft sent back due to security problems. Issues discussed later in session. Status: RFC Editor Queue (Approved for Publication) FC Common Encapsulation IPS Security iSCSI FCIP iFCP These documents are in the RFC Editor Queue and are pending references. To see the dependencies these drafts are awaiting, see http://www.rfc-editor.org/queue.html. Long poll on the iSCSI RFC assignment is waiting on the AES Counter draft. Possible expedition after references are completed. Question was asked about status of FC-BB-2 publication. Craig Carlson (T11.3 Chair) stated that the ANSI publication process is slow and final publication may not be available for 6 months. Status: ID Exists Three of these drafts (SCSI MIB, FCIP MIB, iSNS MIB) are almost ready to be forwarded. Nit checks have already occurred, and the drafts are being reviewed by Keith McCloghrie. Three of these drafts (fcencaps-wglc, fcip-wglc, ifcp-wglcc) are drafts written in response to WG Last Call comments, and these drafts will soon be expired. The Name-Ext draft is a new draft approved as a WG item in Atlanta, and discussed later in the session. --- Boot draft Presented by John Hufferd, on behalf of Prasenjit Sarkar The boot draft has been sent back to the working group for further work, due to security issues. Need to address boot communications security only; Boot image integrity outside purview Software stage: not allowed in a secure boot because of integrity issues The boot environment is many times extremely constrained verses a fully operational environment. A limit of 64K is possible. Need to keep security fairly straightforward; getting too complex takes things backwards. Proposal: Use IPsec (common in wireless networks) takes care of IP addr initialization problem Bernard Aboba suggest use DHCP auth like ESP in IPsec Question for the IPS WG do we want another protocol at boot How to use IPsec w/o IP address - taken care of in wireless community. Bernard Aboba: Resources in boot processes very constrained. IPsec in boot PROM is possible, but IKE definitely will not fit. DHCP-AUTH probably works, but IPsec with IKE probably doesn't. Need to consider a staged approach. IPsec is reasonable at stage two. Recommendation from presentation: Boot stage: Use IPsec Not allowed: Pre-shared keys (dynamic IP addresses) Aboba suggest handling like iSCSI (aggressive mode) Accepted Public keys (disallowed by IPS Security draft) Manual Keying (provisioning hassle) Comments: If someone is really interested in security, they want it all the way down to level zero boot. How do we integrate security mechanisms in the boot loader? Not every mode of operation needs to be secure, but at least one mode does need to be secure. Verification of boot image is very difficult. DHCP-Auth makes sense, at boot, security depends on site security usage. If the second stage boot requires IPSEC, then the adapter better have that ability available. Need to be able to 'tickle' the IPsec functionality on the hardware. Big concern is that the Key probably needs to be in flash. Key exchange may not happen - instead may use manual key for only the boot, and the SA is torn down immediately after booting. There is a basic provisioning problem here. Direction for draft -- Two phase process. First: DHCP with DHCP-auth as necessary. Second: iSCSI to get boot image. IPsec used here, with simple key management. Pre-shared keys are better than manual keys, but provisioning problem is the same for both if they are burned into the card. Pre-shared allows a session key to be generated so lifetime is longer. Comment by Kevin Gibbons: iSNS has feature where boot target can be specified. This is as a addition to SLP. --- iSCSI naming extension draft Presented by Mallikajurn The T10 had two votes, the Grand Unified SCSI device name format passed first vote in working group, but was narrowly defeated in 2nd vote at plenary. This probably implies that this is not dead yet, but notion of common format with iSCSI is dead. Would have another form. This draft does not defined LU name, but Rob Elliot's proposal requires transports to defined the syntax of a logical unit name. Direction for draft: Keep it alive here. Add Rob Elliot's additional requirements in the T10 proposal which requires transports to define syntax of Logical Unit Name --- SCSI Command Ordering Draft Presented by Mallikajurn Motion to accept this as an official working group item. No objections. Will accept as working group draft. This is an implementer's notes draft. We can not produce too many such drafts. In Vienna will continue discussion and decide if other implementation observations (if any) need to be rolled in, or if this can proceed stand alone.
Home Last updated: Fri Mar 28 09:19:10 2003 12434 messages in chronological order |