[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Underlying IPSec requirements
The IP Storage security requirements are specified in the iSCSI and FCIP draft RFCs and are repeated and elaborated in the Security paper. This is beneficial in that it provides a comprehensive summary of IPSec and it clarifies the "subset" of IPSec that is required. However, it is not clear the extent to which IPSec specifications not explicitly mentioned in the IPS Security paper must be supported. For example, IKE supports the negotiation of a lifetime for the Security Association. This can be either in seconds or kilobytes. My interpretation is that this must be supported, but other people I have talked to have not reached the same conclusion. If the intent is that IPSec requirements not specifically mentioned in the IPS drafts must be supported, a statement to this effect should be added to the documents. A clear summary of the requirements for all configurable IPsec parameters should be provided. Following is a list of these parameters. Most are well summarized; are few are not. An * indicates those that are not well covered by the IPS drafts: IPSec end points: Connection: Source IP:Port, Destination IP:Port Protocol: TCP/UDP Tunnel or Transport mode Tunnel mode: destination address for source machine *protected addresses for gateway machine IKE Negotiation options: ESP or AH ESP: acceptable hash algorithms, encryption algorithms AH: acceptable hash algorithms Authentication method: Shared secret/Certificates Action on sequence number wrap (anti-replay) Perfect Forward Secrecy *Lifetime: seconds/kilobytes *ESP padding Tunnel mode protected addresses: An important IPSec requirement is that the receiving end must check all IP packets against the security policy and drop the packet if security is required. In order to do this on a gateway machine, the machine must know which destinations behind the gateway require security and which do not. The method of specifying host addresses, subnet addresses, etc. has been an area of major interoperability problems in IPSec. ESP padding: IPSec supports the option of adding a variable amount of padding to the ESP payload, for the purposes of impeding traffic analysis by size of packets. Most IPSec implementation seem to ignore this option and do not make it available to the user.
Last updated: Mon Feb 18 11:17:59 2002
8781 messages in chronological order