Securing Block Storage Protocols over IP: RFC 3723 Requirements Update for IPsec v3
RFC 7146

 
Document Type RFC - Proposed Standard (April 2014; No errata)
Last updated 2014-04-04
Stream IETF
Formats plain text pdf html
Stream WG state Submitted to IESG for Publication
Consensus Yes
Document shepherd David Black
Shepherd write-up Show (last changed 2013-07-10)
IESG IESG state RFC 7146 (Proposed Standard)
Telechat date
Responsible AD Martin Stiemerling
Send notices to storm-chairs@ietf.org, draft-ietf-storm-ipsec-ips-update@ietf.org
IANA IANA review state Version Changed - Review Needed
IANA action state No IC
Internet Engineering Task Force (IETF)                          D. Black
Request for Comments: 7146                                           EMC
Updates: 3720, 3723, 3821, 3822, 4018, 4172,                   P. Koning
         4173, 4174, 5040, 5041, 5042, 5043,                        Dell
         5044, 5045, 5046, 5047, 5048                         April 2014
Category: Standards Track
ISSN: 2070-1721

               Securing Block Storage Protocols over IP:
               RFC 3723 Requirements Update for IPsec v3

Abstract

   RFC 3723 specifies IPsec requirements for block storage protocols
   over IP (e.g., Internet Small Computer System Interface (iSCSI))
   based on IPsec v2 (RFC 2401 and related RFCs); those requirements
   have subsequently been applied to remote direct data placement
   protocols, e.g., the Remote Direct Memory Access Protocol (RDMAP).
   This document updates RFC 3723's IPsec requirements to IPsec v3 (RFC
   4301 and related RFCs) and makes some changes to required algorithms
   based on developments in cryptography since RFC 3723 was published.

Status of This Memo

   This is an Internet Standards Track document.

   This document is a product of the Internet Engineering Task Force
   (IETF).  It represents the consensus of the IETF community.  It has
   received public review and has been approved for publication by the
   Internet Engineering Steering Group (IESG).  Further information on
   Internet Standards is available in Section 2 of RFC 5741.

   Information about the current status of this document, any errata,
   and how to provide feedback on it may be obtained at
   http://www.rfc-editor.org/info/rfc7146.

Black & Koning               Standards Track                    [Page 1]
RFC 7146            RFC 3723 Reqs Update for IPsec v3         April 2014

Copyright Notice

   Copyright (c) 2014 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1. Introduction ....................................................3
      1.1. Requirements Language ......................................3
      1.2. Summary of Changes to RFC 3723 .............................4
      1.3. Other Updated RFCs .........................................4
   2. ESP Requirements ................................................6
      2.1. Data Origin Authentication and Data Integrity Transforms ...6
      2.2. Confidentiality Transform Requirements .....................7
   3. IKEv1 and IKEv2 Requirements ....................................8
      3.1. Authentication Requirements ...............................10
      3.2. DH Group and PRF Requirements .............................11
   4. Security Considerations ........................................11
   5. References .....................................................12
      5.1. Normative References ......................................12
      5.2. Informative References ....................................16
   Appendix A. Block Cipher Birthday Bounds ..........................17
   Appendix B. Contributors ..........................................17

Black & Koning               Standards Track                    [Page 2]
RFC 7146            RFC 3723 Reqs Update for IPsec v3         April 2014

1.  Introduction

   [RFC3723] specifies IPsec requirements for block storage protocols
   over IP (e.g., iSCSI [RFC3720]) based on IPsec v2 ([RFC2401] and
   related RFCs); those requirements have subsequently been applied to
   remote direct data placement protocols, e.g., RDMAP [RFC5040].  This
   document updates RFC 3723's IPsec requirements to IPsec v3 ([RFC4301]
   and related RFCs) to reflect developments since RFC 3723 was
   published.

   For brevity, this document uses the term "block storage protocols" to
   refer to all protocols to which RFC 3723's requirements apply; see
   Section 1.3 for details.

   In addition to the IPsec v2 requirements in RFC 3723, IPsec v3, as
   specified in [RFC4301] and related RFCs (e.g., IKEv2 [RFC5996]),
   SHOULD be implemented for block storage protocols.  Retention of the
   mandatory requirement for IPsec v2 provides interoperability with
Show full document text