Securing Block Storage Protocols over IP
RFC 3723

Document Type RFC - Proposed Standard (April 2004; No errata)
Updated by RFC 7146
Last updated 2015-10-14
Stream IETF
Formats plain text pdf html bibtex
Stream WG state (None)
Document shepherd No shepherd assigned
IESG IESG state RFC 3723 (Proposed Standard)
Consensus Boilerplate Unknown
Telechat date
Responsible AD Allison Mankin
Send notices to <ElizabethRodriguez@ieee.org>
Network Working Group                                           B. Aboba
Request for Comments: 3723                                     Microsoft
Category: Standards Track                                       J. Tseng
                                                      McDATA Corporation
                                                               J. Walker
                                                                   Intel
                                                               V. Rangan
                                     Brocade Communications Systems Inc.
                                                           F. Travostino
                                                         Nortel Networks
                                                              April 2004

                Securing Block Storage Protocols over IP

Status of this Memo

   This document specifies an Internet standards track protocol for the
   Internet community, and requests discussion and suggestions for
   improvements.  Please refer to the current edition of the "Internet
   Official Protocol Standards" (STD 1) for the standardization state
   and status of this protocol.  Distribution of this memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (2004).  All Rights Reserved.

Abstract

   This document discusses how to secure block storage and storage
   discovery protocols running over IP (Internet Protocol) using IPsec
   and IKE (Internet Key Exchange).  Threat models and security
   protocols are developed for iSCSI (Internet Protocol Small Computer
   System Interface), iFCP (Internet Fibre Channel Storage Networking)
   and FCIP (Fibre Channel over TCP/IP), as well as the iSNS (Internet
   Storage Name Server) and SLPv2 (Service Location Protocol v2)
   discovery protocols.  Performance issues and resource constraints are
   analyzed.

Table of Contents

   1.  Introduction .................................................  3
       1.1.  iSCSI Overview .........................................  3
       1.2.  iFCP Overview ..........................................  4
       1.3.  FCIP Overview ..........................................  4
       1.4.  IPsec Overview .........................................  4
       1.5.  Terminology ............................................  6
       1.6.  Requirements Language ..................................  7

Aboba, et al.               Standards Track                     [Page 1]
RFC 3723        Securing Block Storage Protocols over IP      April 2004

   2.  Block Storage Protocol Security ..............................  7
       2.1.  Security Requirements  .................................  7
       2.2.  Resource Constraints ................................... 10
       2.3.  Security Protocol ...................................... 12
       2.4.  iSCSI Authentication ................................... 16
       2.5.  SLPv2 Security ......................................... 18
       2.6.  iSNS Security .......................................... 24
   3.  iSCSI security Inter-Operability Guidelines .................. 28
       3.1.  iSCSI Security Issues .................................. 28
       3.2.  iSCSI and IPsec Interaction ............................ 29
       3.3.  Initiating a New iSCSI Session ......................... 30
       3.4.  Graceful iSCSI Teardown ................................ 31
       3.5.  Non-graceful iSCSI Teardown ............................ 31
       3.6.  Application Layer CRC .................................. 32
   4.  iFCP and FCIP Security Issues ................................ 34
       4.1.  iFCP and FCIP Authentication Requirements .............. 34
       4.2.  iFCP Interaction with IPsec and IKE .................... 34
       4.3.  FCIP Interaction with IPsec and IKE .................... 35
   5.  Security Considerations ...................................... 36
       5.1.  Transport Mode Versus Tunnel Mode ...................... 36
       5.2.  NAT Traversal .......................................... 39
       5.3.  IKE Issues ............................................. 40
       5.4.  Rekeying Issues ........................................ 40
       5.5.  Transform Issues ....................................... 43
       5.6.  Fragmentation Issues ................................... 45
       5.7.  Security Checks ........................................ 46
       5.8.  Authentication Issues .................................. 47
       5.9.  Use of AES in Counter Mode ............................. 51
   6.  IANA Considerations .......................................... 51
       6.1.  Definition of Terms .................................... 52
       6.2.  Recommended Registration Policies ...................... 52
Show full document text