Technical Summary
RFC 3723 specifies IPsec requirements for block storage protocols
over IP (e.g., iSCSI) based on IPsec v2 (RFC 2401 and related RFCs);
those requirements have subsequently been applied to remote direct
data placement protocols, e.g., RDMAP. This document updates RFC
3723's IPsec requirements to IPsec v3 (RFC 4301 and related RFCs) and
makes some changes to required algorithms based on developments in
cryptography since RFC 3723 was published.
Working Group Summary
This document updates the IPsec requirements in RFC 3723 and all RFCs
to which those requirements apply. The iSCSI maintenance work in
the storm WG had originally intended to only update the IPsec
requirements for iSCSI. Two developments changed this approach:
o Cryptographic developments upended RFC 3723's requirement for 3DES
as the mandatory to implement encryption transform. The protocols
to which RFC 3723 applies can approach 3DES's birthday bound and
need to rekey in less than a minute on high-speed links.
o iSER (iSCSI extensions for RDMA) uses RFC 3723 IPsec requirements
twice, once for iSCSI and once for the underlying rddp (iWARP)
RDMA protocol. An RFC 3723 update is needed for the latter in
order to avoid inconsistent IPsec requirements in the same protocol
stack.
David McGrew and Steve Kent (respectively) deserve credit for surfacing
the above two concerns that lead to creation of this document. This
document has not been controversial in the storm WG.
Document Quality
This document specifies a profile of widely implemented protocols,
IPsec v2 and v3. The specified cryptographic transforms have been
selected as ones that are commonly available in IPsec implementations.
Sean Turner (SEC AD) and Paul Hoffman (ipsecme WG chair) were both
notably helpful in providing advice on transform selection. Yaron
Sheffer (ipsecme WG chair) provided a thorough review that significantly
improved the quality of this document. Tom Talpey (storm WG chair)
provided a thorough WG Last Call review.
The document shepherd is very pleased with the help received from
both ipsecme WG co-chairs and the AD responsible for the ipsecme WG.
Personnel
Document Shepherd: David Black (storm WG co-chair, david.black@emc.com)
Responsible Area Director: Martin Stiemerling (Transport, martin.stiemerling@neclab.eu)