RE: iFCP: security position

To: "Franco Travostino" <travos@nortelnetworks.com>, <ips@ece.cmu.edu>
Subject: RE: iFCP: security position
From: "Bill Strahm" <bill@sanera.net>
Date: Fri, 7 Sep 2001 15:17:21 -0700
Content-Transfer-Encoding: 7bit
Content-Type: text/plain;charset="us-ascii"
Importance: Normal
In-Reply-To: <5.0.2.1.2.20010907161859.03a1c510@zbl6c002.corpeast.baynetworks.com>
Sender: owner-ips@ece.cmu.edu

This is going to be very interseting... How do you plan on using standard
IPsec clients that have DES as MUST implement when your application that
sits above it has a MUST NOT implement requirement.  This would be like
having a protocol that tells layer 3 that it MUST run over Token Ring, but
MUST NOT run over Ethernet.

These are all policy issues that can be solved by having the end users
implement appropriate policies, not by standards organizations

Bill
Sanera Systems Inc.
-----Original Message-----
From: owner-ips@ece.cmu.edu [mailto:owner-ips@ece.cmu.edu]On Behalf Of
Franco Travostino
Sent: Friday, September 07, 2001 1:31 PM
To: ips@ece.cmu.edu
Subject: iFCP: security position



After the interim meeting, we restate our security coordinates in the
following terms. Additionally, we have expanded our Irvine slides with
rationale text and insights that we learnt at the interim meeting. Such
amended slide set is available at
ftp://standards.nortelnetworks.com/san/ifcp_security_requirements-v2.pdf
Comments most welcome.

Keying: IKE
Pre-shared keys: MUST implement
Signature key authentication: MAY implement
Phase-1/Main Mode: MUST implement
Phase-1/Aggressive Mode: MAY implement
Phase-2/Quick Mode: MUST implement
Phase-2/Quick Mode + KE payload: MUST implement
Identities are IP addresses in all Phase-1/Phase-2 Modes


Integrity MAC:
HMAC-SHA1: MUST implement
AES (X)CBC MAC: SHOULD implement*


Encryption:
3DES CBC: MUST implement
AES CTR: SHOULD implement*
DES: SHOULD NOT implement
NULL: MUST implement


Encapsulation Style:
Tunnel Mode.


(*) IFF there is a Proposed Standard RFC that we can cite by the time we hit
Last Call. HMAC-SHA1 and 3DES CBC suit us fine otherwise (as justified in
the slides).

-franco
iFCP Technical Coordinator



Franco Travostino, Director Content Internetworking Lab
Advanced Technology Investments
Nortel Networks, Inc.
600 Technology Park
Billerica, MA 01821 USA
Tel: 978 288 7708 Fax: 978 288 4690
email: travos@nortelnetworks.com

References:
- iFCP: security position
  - From: "Franco Travostino" <travos@nortelnetworks.com>

Prev by Date: RE: iSCSI: ISIDs
Next by Date: RE: iFCP: security position
Prev by thread: iFCP: security position
Next by thread: RE: iFCP: security position
Index(es):
- Date
- Thread

Home

Last updated: Fri Sep 07 19:17:10 2001
6452 messages in chronological order