Re: iSCSI Security mechanisms

[Bernard Aboba <aboba@internaut.com>]

> This leaves open the issue of where the key(s) for
> ESP come from.  IKE is OPTIONAL, and use of SRP to
> supply keys for ESP is NOT REQUIRED (not even
> specified - I need to find the time to work on
> writing this up).  This leaves pre-shared keys as
> the minimum mechanism, and hence I believe that
> a suitably secured administrative interface to
> supply pre-shared keys to ESP will have to be
> REQUIRED for interoperability even if a dynamic
> keying mechanism like IKE is implemented.
> 
Let me make sure I understand this:

a. You use SRP (which derives a key) only for authentication, but then
throw the derived keying material away. 

b. You then use IPSEC manual keying, along with an unspecified
transform, and key distribution mechanism. 

Note that what is described above is not really pre-shared secrets,
because those are used to authenticate DH in order to derive keying
material. Since you're not using derived keying material, we're really
talking about manual keying. 

I would suggest that the above manages to combine the computational
demands of IKE (and then some, since SRP is slower than ordinary DH)
the administrative headaches of manual keying and the interoperability
problems of specifying nothing. 

Ancient proverb: "The first step in removing yourself from a deep hole is
to stop digging." 

If you're going to do SRP for authentication, you might as well add in key
derivation, and negotiation of things like ciphersuites, prime
modulus/generator groups, etc. so you can use it for IPSEC keying. 
A rather small spec could accomplish this IF we decide it is necessary.

If don't want to use the SRP keying material, you might as well use a
slimmed down version of IKE (say, aggressive mode only) to address the
code size concern.