Underlying IPSec requirements

To: "'Bernard Aboba'" <bernard_aboba@hotmail.com>
Subject: Underlying IPSec requirements
From: Ernest Dainow <Ernest.Dainow@mcdata.com>
Date: Mon, 18 Feb 2002 10:05:59 -0500
Cc: ips@ece.cmu.edu
Content-Type: text/plain;charset="iso-8859-1"
Sender: owner-ips@ece.cmu.edu


The IP Storage security requirements are specified in the iSCSI and FCIP
draft RFCs and are repeated and elaborated in the Security paper. This is
beneficial in that it provides a comprehensive summary of IPSec and it
clarifies the "subset" of IPSec that is required. However, it is not clear
the extent to which IPSec specifications not explicitly mentioned in the IPS
Security paper must be supported.  

For example, IKE supports the negotiation of a lifetime for the Security
Association. This can be either in seconds or kilobytes. My interpretation
is that this must be supported, but other people I have talked to have not
reached the same conclusion.

If the intent is that IPSec requirements not specifically mentioned in the
IPS drafts must be supported, a statement to this effect should be added to
the documents.

A clear summary of the requirements for all configurable IPsec parameters
should be provided. Following is a list of these parameters. Most are well
summarized; are few are not. An * indicates those that are not well covered
by the IPS drafts:

    IPSec end points: 
    Connection: Source IP:Port, Destination IP:Port
    Protocol: TCP/UDP
	Tunnel or Transport mode 
	    Tunnel mode: 
		destination address for source machine
		*protected addresses for gateway machine
    IKE Negotiation options:
	ESP or AH
	    ESP: acceptable hash algorithms, encryption algorithms
	    AH: acceptable hash algorithms
	Authentication method: Shared secret/Certificates
	Action on sequence number wrap (anti-replay)
	Perfect Forward Secrecy
	*Lifetime: seconds/kilobytes
	*ESP padding

Tunnel mode protected addresses: 
An important IPSec requirement is that the receiving end must check all IP
packets against the security policy and drop the packet if security is
required. In order to do this on a gateway machine, the machine must know
which destinations behind the gateway require security and which do not. The
method of specifying host addresses, subnet addresses, etc. has been an area
of major interoperability problems in IPSec.

ESP padding:
IPSec supports the option of adding a variable amount of padding to the ESP
payload, for the purposes of impeding traffic analysis by size of packets.
Most IPSec implementation seem to ignore this option and do not make it
available to the user.

Prev by Date: Re: [iSCSI][Q+RFC] login response, tsid
Next by Date: Separate SA for each TCP connection
Prev by thread: Re: [iSCSI][Q+RFC] login response, tsid
Next by thread: Re: Underlying IPSec requirements
Index(es):
- Date
- Thread

Home

Last updated: Mon Feb 18 11:17:59 2002
8781 messages in chronological order