Securing Block Storage Protocols over IP: RFC 3723 Requirements Update for IPsec v3

Approval announcement
Draft of message to be sent after approval:

From: The IESG <>
To: IETF-Announce <>
Cc: RFC Editor <>,
    storm mailing list <>,
    storm chair <>
Subject: Protocol Action: 'Securing Block Storage Protocols over IP: RFC 3723 Requirements Update for IPsec v3' to Proposed Standard (draft-ietf-storm-ipsec-ips-update-04.txt)

The IESG has approved the following document:
- 'Securing Block Storage Protocols over IP: RFC 3723 Requirements Update
   for IPsec v3'
  (draft-ietf-storm-ipsec-ips-update-04.txt) as Proposed Standard

This document is the product of the STORage Maintenance Working Group.

The IESG contact persons are Martin Stiemerling and Spencer Dawkins.

A URL of this Internet Draft is:

Technical Summary

   RFC 3723 specifies IPsec requirements for block storage protocols
   over IP (e.g., iSCSI) based on IPsec v2 (RFC 2401 and related RFCs);
   those requirements have subsequently been applied to remote direct
   data placement protocols, e.g., RDMAP.  This document updates RFC
   3723's IPsec requirements to IPsec v3 (RFC 4301 and related RFCs) and
   makes some changes to required algorithms based on developments in
   cryptography since RFC 3723 was published.

Working Group Summary

   This document updates the IPsec requirements in RFC 3723 and all RFCs
   to which those requirements apply.  The iSCSI maintenance work in
   the storm WG had originally intended to only update the IPsec
   requirements for iSCSI.  Two developments changed this approach:

   o Cryptographic developments upended RFC 3723's requirement for 3DES
     as the mandatory to implement encryption transform.  The protocols
     to which RFC 3723 applies can approach 3DES's birthday bound and
     need to rekey in less than a minute on high-speed links.

   o iSER (iSCSI extensions for RDMA) uses RFC 3723 IPsec requirements
     twice, once for iSCSI and once for the underlying rddp (iWARP)
     RDMA protocol.  An RFC 3723 update is needed for the latter in
     order to avoid inconsistent IPsec requirements in the same protocol

   David McGrew and Steve Kent (respectively) deserve credit for surfacing
   the above two concerns that lead to creation of this document.  This
   document has not been controversial in the storm WG.

Document Quality

   This document specifies a profile of widely implemented protocols,
   IPsec v2 and v3.  The specified cryptographic transforms have been
   selected as ones that are commonly available in IPsec implementations.

   Sean Turner (SEC AD) and Paul Hoffman (ipsecme WG chair) were both
   notably helpful in providing advice on transform selection.  Yaron
   Sheffer (ipsecme WG chair) provided a thorough review that significantly
   improved the quality of this document.  Tom Talpey (storm WG chair)
   provided a thorough WG Last Call review.

   The document shepherd is very pleased with the help received from
   both ipsecme WG co-chairs and the AD responsible for the ipsecme WG.


   Document Shepherd: David Black (storm WG co-chair,
   Responsible Area Director: Martin Stiemerling (Transport,