ipsec October 2011 archive
Main Archive Page > Month Archives  > ipsec archives
ipsec: [IPsec] iSCSI: IPsec requirements

[IPsec] iSCSI: IPsec requirements

From: <david.black_at_nospam>
Date: Tue Oct 11 2011 - 04:42:11 GMT
To: <ipsec@ietf.org>

As a co-chair of the storm WG, I'm looking for some input on updating the IPsec
requirements for iSCSI, which is the subject of a WG Last Call comment against
the new iSCSI draft.

The history here is that as part of the original work for iSCSI (and some additional
storage protocols), a profile of the then-current version of IPsec (2400-series RFCs)
was produced (RFC 3723), and iSCSI (RFC 3720) has "MUST implement" requirements for
that version of IPsec. By the time iSCSI was completed, the next version of IPsec
(4300-series RFCs) was imminent, but a deliberate decision was made to have both
RFC 3720 and 3723 continue to refer to the older version of IPsec.

A primary reason at the time was that iSCSI and IPsec implementations are generally
independent, and the most likely implementation path for iSCSI involved existing
older IPsec implementations. That was back in 2004, and the IPsec world has moved
on since them. The issue has been raised that it may not be appropriate for the new
iSCSI RFC-to-be to continue to require implementation of RFC 2400-series IPsec.

The new iSCSI draft is fully backwards compatible with the existing iSCSI RFCs (in
contrast to IPsec, where the versions of IKE deliberately don't interoperate), so
jumping straight to 4300-series IPsec does not seem like a good move unless
2400-series IPsec is extinct for all practical purposes.

Assuming 2400-series IPsec is not extinct, the appropriate requirements may be of
roughly the following form (this is a template, see RFC 3720 or 3723 for the specific
requirements to which this structure is to be applied):
        - MUST implement IPsec, 2400-series RFCs or 4300-series RFCs.
        - SHOULD implement IPsec, 4300-series RFCs.
        - I'm not inclined to also say: SHOULD NOT implement 2400-series IPsec.

OTOH, if 2400-series IPsec is extinct for all practical purposes, that all reduces to
        - MUST implement IPsec, 4300-series.

I'm interested in comments on what the right thing to do is here and why.

David L. Black, Distinguished Engineer
EMC Corporation, 176 South St., Hopkinton, MA 01748
+1 (508) 293-7953 FAX: +1 (508) 293-7786
david.black@emc.com Mobile: +1 (978) 394-7754

IPsec mailing list