|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: Security Use RequirementsBernard, Both IPSec and TLS will be in the standard. As we are talking about speeds that will be in excess of 1GBs even on modest disk controllers we where all hesitant if to make anything in this category mandatory to implement today. We assume that all those who require security beyond CRC and session authentication will pay for and get it. However those that build a Storage Area Newtork within a small enterprise completely isolated from the internet will not have to pay for what they do not need. Regards, Julo "Bernard D. Aboba" <aboba@internaut.com> on 06/02/2001 15:52:52 Please respond to "Bernard D. Aboba" <aboba@internaut.com> To: Julian Satran/Haifa/IBM@IBMIL cc: Black_David@emc.com, ips@ece.cmu.edu, RJ Atkinson <rja@inet.org>, "Smb@Research. Att. Com" <smb@research.att.com>, Ofer Biran/Haifa/IBM@IBMIL Subject: RE: Security Use Requirements > deployment at 1" - with CRCs mandatory to implement (optional to use) and > all the rest is optional to use and implement. CRCs only provide integrity protection, but not authentication since they are not keyed. Thus, it provides no protection against spoofing attacks. Even if the CRC is non-linear, it is not hard to build a device that will change packets on the fly without fear of detection. The TCP checksum is non-linear but it can be guessed right about half the time. An example of the kinds of attacks that are possible is found at: http://www.isaac.cs.berkeley.edu/isaac/wep-faq.html. I'm sure the folks at Berkeley will be happy to provide an equivalent analysis for iSCSI. Do you really want to enable attackers to insert or change data destined a SAN disk at will? Even if the iSCSI SAN is using linklocal addressing, and therefore is not accessible from the Internet, there is still risk from internal attack. A more reasonable approach would be to require at least authentication and integrity protection (e.g. IPSEC AH or ESP null).
Home Last updated: Tue Sep 04 01:05:35 2001 6315 messages in chronological order |