|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: Security Use RequirementsIt is hard for me to see how you could get away with no security services at all (e.g. no per-packet authentication and integrity protection for iSCSI PDUs). After all, we're talking about facilities that are used by the world's major financial institutions. If this data isn't worth protecting, I don't know what is. Do you really want attackers to be able to manipulate the contents of bank accounts at will over the Internet? Furthermore, there really isn't a sound technical argument for dispensing with security. There are chipsets available that can provide IPSEC integrity and authentication services at speeds of 1 Gbps or higher. -----Original Message----- From: owner-ips@ece.cmu.edu [mailto:owner-ips@ece.cmu.edu]On Behalf Of Black_David@emc.com Sent: Monday, February 05, 2001 12:54 PM To: ips@ece.cmu.edu Subject: Security Use Requirements In Orlando, I picked up an action item to determine what the requirements are for *use* of security features, as opposed to requirements for *implementation*. I believe the answer to be that it is acceptable to specify security measures weaker than those one would want to use in full generality on a public network, where "weaker" includes no security. There are two important caveats that apply: - Security of the negotiation mechanism becomes very important when this is done, as there's an obvious man-in-the-middle attack on the negotiation mechanism to get the endpoints to negotiate weaker security than they intended. - The weaker security mechanisms need to be documented in terms of their security properties (and lack thereof), as well as environments in which they are appropriate. The "Security Considerations" section of RFC 2338 (VRRP) has been recommended as a good example of this. --David --------------------------------------------------- David L. Black, Senior Technologist EMC Corporation, 42 South St., Hopkinton, MA 01748 +1 (508) 435-1000 x75140 FAX: +1 (508) 497-8500 black_david@emc.com Mobile: +1 (978) 394-7754 ---------------------------------------------------
Home Last updated: Tue Sep 04 01:05:35 2001 6315 messages in chronological order |