SORT BY:

LIST ORDER
THREAD
AUTHOR
SUBJECT


SEARCH

IPS HOME


    [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

    FW: Notes from IPS meeting



    Here are the minutes from the IPS meeting last week.
    Please review and let David and/or I know of any
    comments/corrections/issues by 5pm EST on Tuesday April 1.
    
    Thanks,
    
    Elizabeth Rodriguez
    ----
    
    
    IPS Working Group - Tuesday, March 18, 2003
    
    Status of Drafts -
    
    Per the IETF ID Tracker, located at
    https://datatracker.ietf.org/public/pidtracker.cgi
    
    Most thru working group last call.
    A few approved for publication.
    
    Status:  Publication Requested (these are standards track documents
    which have just recently been forwarded to the ADs for initial review)
    	Auth MIB
    	FC Mgmt MIB
    	iFCP MIB
    	iSCSI MIB
    
    Status: AD Evaluation
    	FCIP SLP (has completed expert review.  Same expert review
    applies to iSCSI SLP)
    	iSCSI SLP
    	Stringprep
    	iSNS
    
    Status: IESG Evaluation/AD Followup
    	Naming and discovery - Back to ADs for review after revisions
    made in response to IESG feedback
    
    Status: IESG Evaluation/Revised ID needed
    	Boot draft sent back due to security problems.  Issues discussed
    later in session.
    
    Status: RFC Editor Queue (Approved for Publication)
    FC Common Encapsulation
    IPS Security
    iSCSI
    FCIP
    iFCP
    These documents are in the RFC Editor Queue and are pending references.
    To see the dependencies these drafts are awaiting, see
    http://www.rfc-editor.org/queue.html.
    
    Long poll on the iSCSI RFC assignment is waiting on the AES Counter
    draft. Possible expedition after references are completed.
    
    Question was asked about status of FC-BB-2 publication.  Craig Carlson
    (T11.3 Chair) stated that the ANSI publication process is slow and final
    publication may not  be available for 6 months.
    
    Status: ID Exists
    	Three of these drafts (SCSI MIB, FCIP MIB, iSNS MIB) are almost
    ready to be forwarded.  Nit checks have already occurred, and the drafts
    are being reviewed by Keith McCloghrie.
    
    	Three of these drafts (fcencaps-wglc, fcip-wglc, ifcp-wglcc) are
    drafts written in response to WG Last Call comments, and these drafts
    will soon be expired.
    
    	The Name-Ext draft is a new draft approved as a WG item in
    Atlanta, and discussed later in the session.
    
    ---
    
    Boot draft
    Presented by John Hufferd, on behalf of Prasenjit Sarkar
    
    The boot draft has been sent back to the working group for further work,
    due to security issues.
    Need to address boot communications security only; Boot image integrity
    outside purview
    Software stage: not allowed in a secure boot because of integrity issues
    
    The boot environment is many times extremely constrained verses a fully
    operational environment.  A limit of 64K is possible.  Need to keep
    security fairly straightforward; getting too complex takes things
    backwards. 
    
    
    Proposal:  Use IPsec (common in wireless networks) takes care of IP addr
    initialization problem
    	Bernard Aboba suggest use DHCP auth like ESP in IPsec
    	Question for the IPS WG do we want another protocol at boot
    	How to use IPsec w/o IP address - taken care of in wireless
    community.
    
    Bernard Aboba: 
    Resources in boot processes very constrained.
    IPsec in boot PROM is possible, but IKE definitely will not fit.
    DHCP-AUTH probably works, but IPsec with IKE probably doesn't.
    Need to consider a staged approach. IPsec is reasonable at stage two.
    
    Recommendation from presentation:
    Boot stage:  Use IPsec
    Not allowed:
    Pre-shared keys (dynamic IP addresses)
    Aboba suggest handling like iSCSI (aggressive mode)
    	Accepted
    	Public keys (disallowed by IPS Security draft)
    	Manual Keying (provisioning hassle)
    
    Comments:
    If someone is really interested in security, they want it all the way
    down to level zero boot.
    How do we integrate security mechanisms in the boot loader?
    
    Not every mode of operation needs to be secure, but at least one mode
    does need to be secure.  
    Verification of boot image is very difficult.  
    
    DHCP-Auth makes sense, at boot, security depends on site security usage.
    If the second stage boot requires IPSEC, then the adapter better have
    that ability available. Need to be able to 'tickle' the IPsec
    functionality on the hardware.  
    
    Big concern is that the Key probably needs to be in flash. Key exchange
    may not happen - instead may use manual key for only the boot, and the
    SA is torn down immediately after booting. There is a basic provisioning
    problem here.
      
    Direction for draft -- Two phase process.
    	First:  DHCP with DHCP-auth as necessary. 
    	Second: iSCSI to get boot image.  IPsec used here, with simple
    key management.
    		  Pre-shared keys are better than manual keys, but
    provisioning problem 
    		  is the same for both if they are burned into the card.
    
    		  Pre-shared allows a session key to be generated so
    lifetime is longer.
    
    Comment by Kevin Gibbons:  iSNS has feature where boot target can be
    specified.  This is as a addition to SLP.  
    
    ---
    iSCSI naming extension draft
    Presented by Mallikajurn
    
    The T10 had two votes, the Grand Unified SCSI device name format passed
    first vote in working group, but was narrowly defeated in 2nd vote at
    plenary.  This probably implies that this is not dead yet, but notion of
    common format with iSCSI is dead.  Would have another form.  
    
    This draft does not defined LU name, but Rob Elliot's proposal requires
    transports to defined the syntax of a logical unit name.
    
    Direction for draft: Keep it alive here.  Add Rob Elliot's additional
    requirements in the T10 proposal which requires transports to define
    syntax of Logical Unit Name
    
    ---
    
    SCSI Command Ordering Draft 
    Presented by Mallikajurn
    
    Motion to accept this as an official working group item.  No objections.
    
    Will accept as working group draft.  
    This is an implementer's notes draft.  We can not produce too many such
    drafts.
    In Vienna will continue discussion and decide if other implementation
    observations (if any) need to be rolled in, or if this can proceed stand
    alone.
    
    


Home

Last updated: Fri Mar 28 09:19:10 2003
12434 messages in chronological order