RE: iFCP: security position

To: bill@sanera.net, ips@ece.cmu.edu
Subject: RE: iFCP: security position
From: Black_David@emc.com
Date: Fri, 7 Sep 2001 18:22:50 -0400
Content-Type: text/plain;charset="iso-8859-1"
Sender: owner-ips@ece.cmu.edu

Bill's DES issue goes away if the DES requirements language is
"SHOULD NOT use".  A facility that insists on using DES has
been more than adequately warned by the "SHOULD NOT".

--David

---------------------------------------------------
David L. Black, Senior Technologist
EMC Corporation, 42 South St., Hopkinton, MA  01748
+1 (508) 435-1000 x75140     FAX: +1 (508) 497-8500
black_david@emc.com       Mobile: +1 (978) 394-7754
---------------------------------------------------

> -----Original Message-----
> From: Bill Strahm [mailto:bill@sanera.net]
> Sent: Friday, September 07, 2001 6:17 PM
> To: Franco Travostino; ips@ece.cmu.edu
> Subject: RE: iFCP: security position
> 
> 
> This is going to be very interseting... How do you plan on 
> using standard
> IPsec clients that have DES as MUST implement when your 
> application that
> sits above it has a MUST NOT implement requirement.  This 
> would be like
> having a protocol that tells layer 3 that it MUST run over 
> Token Ring, but
> MUST NOT run over Ethernet.
> 
> These are all policy issues that can be solved by having the end users
> implement appropriate policies, not by standards organizations
> 
> Bill
> Sanera Systems Inc.
> -----Original Message-----
> From: owner-ips@ece.cmu.edu [mailto:owner-ips@ece.cmu.edu]On Behalf Of
> Franco Travostino
> Sent: Friday, September 07, 2001 1:31 PM
> To: ips@ece.cmu.edu
> Subject: iFCP: security position
> 
> 
> 
> After the interim meeting, we restate our security coordinates in the
> following terms. Additionally, we have expanded our Irvine slides with
> rationale text and insights that we learnt at the interim 
> meeting. Such
> amended slide set is available at
> ftp://standards.nortelnetworks.com/san/ifcp_security_requireme
nts-v2.pdf
Comments most welcome.

Keying: IKE
Pre-shared keys: MUST implement
Signature key authentication: MAY implement
Phase-1/Main Mode: MUST implement
Phase-1/Aggressive Mode: MAY implement
Phase-2/Quick Mode: MUST implement
Phase-2/Quick Mode + KE payload: MUST implement
Identities are IP addresses in all Phase-1/Phase-2 Modes


Integrity MAC:
HMAC-SHA1: MUST implement
AES (X)CBC MAC: SHOULD implement*


Encryption:
3DES CBC: MUST implement
AES CTR: SHOULD implement*
DES: SHOULD NOT implement
NULL: MUST implement


Encapsulation Style:
Tunnel Mode.


(*) IFF there is a Proposed Standard RFC that we can cite by the time we hit
Last Call. HMAC-SHA1 and 3DES CBC suit us fine otherwise (as justified in
the slides).

-franco
iFCP Technical Coordinator



Franco Travostino, Director Content Internetworking Lab
Advanced Technology Investments
Nortel Networks, Inc.
600 Technology Park
Billerica, MA 01821 USA
Tel: 978 288 7708 Fax: 978 288 4690
email: travos@nortelnetworks.com

Follow-Ups:
- RE: iFCP: security position
  - From: "Bill Strahm" <bill@sanera.net>

Prev by Date: RE: iFCP: security position
Next by Date: RE: FCIP and iFCP Keying Problem
Prev by thread: RE: iFCP: security position
Next by thread: RE: iFCP: security position
Index(es):
- Date
- Thread

Home

Last updated: Fri Sep 07 19:17:10 2001
6452 messages in chronological order