[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

    Underlying IPSec requirements

    The IP Storage security requirements are specified in the iSCSI and FCIP
    draft RFCs and are repeated and elaborated in the Security paper. This is
    beneficial in that it provides a comprehensive summary of IPSec and it
    clarifies the "subset" of IPSec that is required. However, it is not clear
    the extent to which IPSec specifications not explicitly mentioned in the IPS
    Security paper must be supported.  
    For example, IKE supports the negotiation of a lifetime for the Security
    Association. This can be either in seconds or kilobytes. My interpretation
    is that this must be supported, but other people I have talked to have not
    reached the same conclusion.
    If the intent is that IPSec requirements not specifically mentioned in the
    IPS drafts must be supported, a statement to this effect should be added to
    the documents.
    A clear summary of the requirements for all configurable IPsec parameters
    should be provided. Following is a list of these parameters. Most are well
    summarized; are few are not. An * indicates those that are not well covered
    by the IPS drafts:
        IPSec end points: 
        Connection: Source IP:Port, Destination IP:Port
        Protocol: TCP/UDP
    	Tunnel or Transport mode 
    	    Tunnel mode: 
    		destination address for source machine
    		*protected addresses for gateway machine
        IKE Negotiation options:
    	ESP or AH
    	    ESP: acceptable hash algorithms, encryption algorithms
    	    AH: acceptable hash algorithms
    	Authentication method: Shared secret/Certificates
    	Action on sequence number wrap (anti-replay)
    	Perfect Forward Secrecy
    	*Lifetime: seconds/kilobytes
    	*ESP padding
    Tunnel mode protected addresses: 
    An important IPSec requirement is that the receiving end must check all IP
    packets against the security policy and drop the packet if security is
    required. In order to do this on a gateway machine, the machine must know
    which destinations behind the gateway require security and which do not. The
    method of specifying host addresses, subnet addresses, etc. has been an area
    of major interoperability problems in IPSec.
    ESP padding:
    IPSec supports the option of adding a variable amount of padding to the ESP
    payload, for the purposes of impeding traffic analysis by size of packets.
    Most IPSec implementation seem to ignore this option and do not make it
    available to the user.


Last updated: Mon Feb 18 11:17:59 2002
8781 messages in chronological order