RE: Security Use Requirements

[julian_satran@il.ibm.com]

Bernard,

Both IPSec and TLS will be in the standard.   As we are talking about
speeds that will be in excess of 1GBs even on modest disk controllers we
where all hesitant if to make anything in this category mandatory to
implement today.

We assume that all those who require security beyond CRC and session
authentication will pay for and get it.  However those that build a Storage
Area Newtork within a small enterprise completely isolated from the
internet will not have to pay for what they do not need.

Regards,
Julo

"Bernard D. Aboba" <aboba@internaut.com> on 06/02/2001 15:52:52

Please respond to "Bernard D. Aboba" <aboba@internaut.com>

To:   Julian Satran/Haifa/IBM@IBMIL
cc:   Black_David@emc.com, ips@ece.cmu.edu, RJ Atkinson <rja@inet.org>,
      "Smb@Research. Att. Com" <smb@research.att.com>, Ofer
      Biran/Haifa/IBM@IBMIL
Subject:  RE: Security Use Requirements




> deployment at 1" - with CRCs mandatory to implement (optional to use) and
> all the rest is optional to use and implement.

CRCs only provide integrity protection, but not authentication since they
are not keyed. Thus, it provides no protection against spoofing
attacks. Even if the CRC is non-linear, it is not hard to build
a device that will change packets on the fly without fear of detection. The
TCP checksum is non-linear but it can be guessed right about half the
time.

An example of the kinds of attacks that are possible is found at:
http://www.isaac.cs.berkeley.edu/isaac/wep-faq.html. I'm sure the
folks at Berkeley will be happy to provide an equivalent analysis for
iSCSI.

Do you really want to enable attackers to insert or change data destined
a SAN disk at will? Even if the iSCSI SAN is using linklocal addressing,
and therefore is not accessible from the Internet, there is still risk from
internal attack.

A more reasonable approach would be to require at least authentication
and integrity protection (e.g. IPSEC AH or ESP null).