[IPsec] iSCSI: IPsec requirements

Mon, 10 Oct 2011 21:42:30 -0700 

As a co-chair of the storm WG, I'm looking for some input on updating the IPsec
requirements for iSCSI, which is the subject of a WG Last Call comment against
the new iSCSI draft.

The history here is that as part of the original work for iSCSI (and some 
additional
storage protocols), a profile of the then-current version of IPsec (2400-series 
RFCs)
was produced (RFC 3723), and iSCSI (RFC 3720) has "MUST implement" requirements 
for
that version of IPsec.  By the time iSCSI was completed, the next version of 
IPsec
(4300-series RFCs) was imminent, but a deliberate decision was made to have both
RFC 3720 and 3723 continue to refer to the older version of IPsec.

A primary reason at the time was that iSCSI and IPsec implementations are 
generally
independent, and the most likely implementation path for iSCSI involved existing
older IPsec implementations.  That was back in 2004, and the IPsec world has 
moved
on since them.  The issue has been raised that it may not be appropriate for 
the new
iSCSI RFC-to-be to continue to require implementation of RFC 2400-series IPsec.

The new iSCSI draft is fully backwards compatible with the existing iSCSI RFCs 
(in
contrast to IPsec, where the versions of IKE deliberately don't interoperate), 
so
jumping straight to 4300-series IPsec does not seem like a good move unless
2400-series IPsec is extinct for all practical purposes.

Assuming 2400-series IPsec is not extinct, the appropriate requirements may be 
of
roughly the following form (this is a template, see RFC 3720 or 3723 for the 
specific
requirements to which this structure is to be applied):
        - MUST implement IPsec, 2400-series RFCs or 4300-series RFCs.
        - SHOULD implement IPsec, 4300-series RFCs.
        - I'm not inclined to also say: SHOULD NOT implement 2400-series IPsec.

OTOH, if 2400-series IPsec is extinct for all practical purposes, that all 
reduces to
        - MUST implement IPsec, 4300-series.

I'm interested in comments on what the right thing to do is here and why.

Thanks,
--David
----------------------------------------------------
David L. Black, Distinguished Engineer
EMC Corporation, 176 South St., Hopkinton, MA  01748
+1 (508) 293-7953             FAX: +1 (508) 293-7786
david.bl...@emc.com        Mobile: +1 (978) 394-7754
----------------------------------------------------

_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

Reply via email to