The IESG has approved the Internet-Draft 'Securing Block Storage Protocols over IP' <draft-ietf-ips-security-19.txt> as a Proposed Standard. This document is the product of the IP Storage Working Group. The IESG contact persons are Scott Bradner and Allison Mankin. Technical Summary This specification specifies the use of the IPSec suite for protecting block storage protocol, including iSCSI (SCSI over TCP), iFCP (Fiber Channel clouds gatewayed over TCP), and FCIP (Fiber Channel nodes over TCP). It gives the threat model and then the mandatory algorithms for IPsec and IKE. It does the same for the authentication for the iSCSI login (only iSCSI has authentication, Fiber Channel has only recently started to develop this technology). The document also discusses some security issues for the discovery of block storage. The specification is normative for the IP storage protocol specifications, though they each contain security specification specifics. This document contains their threat models, and substantive details. Working Group Summary The efforts was the work of an intense labor by a design team. It made frequent reports to the working group and there was a large amount of working group discussion. The result was a strong consensus on the IPsec results, including the requirement of implemention of strong security recommendations. There was a rougher consensus about authentication in iSCSI. The working group believed that RFC 2945, SRP, was the technically valid solution, but there was a strong dissenting voice against it, due to concerns about muddy waters for the implementors due to IPR claims. A rough consensus was called in the end by the Working Group Chairs and Area Director in favor of a highly restricted use of CHAP (96 bit minimum machine generated key). Protocol Quality The specification was reviewed for the IESG by Allison Mankin. It is an overview specification. Its editor, Bernard Aboba, and the IPS working group chairs, David Black and Elizabeth Rodriguez, have informed the ADs that that implementations of the ipsec/ ike recommendations, including hardware implementations for encrypting the IP storage data, are appearing.
