RE: ISCSI: Required Crytographic transforms for iSCSI

[Black_David@emc.com]

Yes, NULL Encryption needs to be a "MUST implement", fortunately,
it's not a lot of code or hardware :-).  It was "MUST implement"
as of the Nashua meeting, and there was no intention to change
that - I'll make sure this appears on the summary of security
directions from the Orange County meeting (which will include
the rationale for those directions) that I intend to get to the
list *today* (i.e., well in advance of the draft minutes).

The good news in the other direction is that we don't need any
additional language to enable Encryption without a MAC - IKE/ISAKMP
allows this by omission of negotiation of the MAC (just to confuse
things, a MAC is an "Authentication Algorithm" in ISAKMP-speak).
Encryption ("Transform" in ISAKMP-speak, includes both the actual
crypto algorithm and its operating mode) negotiation cannot
be omitted for ESP due to design decisions in ESP and ISAKMP,
hence the need to make "NULL encryption" a "MUST implement".

Credit to Bill for catching this.  Thanks,
--David

> -----Original Message-----
> From: Bill Strahm [mailto:bill@sanera.net]
> Sent: Wednesday, August 29, 2001 11:34 AM
> To: Ips@Ece. Cmu. Edu
> Subject: ISCSI: Required Crytographic transforms for iSCSI
> 
> 
> When we were talking about required transforms yesterday in 
> Los Angeles, I
> believe that we forgot a VERY important transform that need 
> to be a MUST
> implement for ESP.  That is the NULL Encryption Algorithm (RFC2410).
> 
> I propose that this algorithm is a MUST implement for all iSCSI
> implementations
> 
> Bill
> Sanera Systems Inc.
>