|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: Security Use Requirements> Question: Does your "mandatory-to-implement" mean > "mandatory-to-implement-on-the-same-box", or > "mandatory-to-implement-on-the-same-or-different-box"? Mandatory-to-implement means "how the protocol behaves on the wire" -- i.e., if one party starts to use a mandatory-to- implement mechanism, the other party must respond appropriately. Whether 1, 5, or 15 boxes are used is not something a protocol spec should care about, although if more than one box is used, whoever assembles those boxes will have to deal with the security issues that arise on the interfaces among the boxes. > IPSec security gateways are widely available now, from > many different vendors. Are you ruling out their use > to fulfill the security requirement? I'm definitely not ruling out such gateways, but I want to make sure everyone understands that there will probably be interactions between such gateways and iSCSI in the area of naming - we are going to have to say something about how IPSec's notion of identities (e.g., X.509 certificates, and in the SAD/SPD) match up with iSCSI's notions (i.e., initiator and target names). If the gateway is completely independent of the iSCSI system, it'll fall to some higher level of management software or possibly manual configuration to make sure that the gateway and the corresponding iSCSI system(s) are configured consistently. > In Orlando the agreement was that authentication digests can be left to > specialized protocols (IPsec and TLS) and iSCSI > is not mandated to have them specified outside such a protocol. Good thing, as there are lots of ways to get authentication protocols and the related integrity digests subtly wrong. > The issue you raised - can now be translated should we make IPsec or TLS > mandatory to implement? That is correct - we are headed in the direction of making at least one of those two mandatory to implement. Note that it will NOT be acceptable to say "implement at least one of these" and let implementers choose which one because then an implementation that chose IPSec will not interoperate with one that chose TLS (which is a wrong answer). --David --------------------------------------------------- David L. Black, Senior Technologist EMC Corporation, 42 South St., Hopkinton, MA 01748 +1 (508) 435-1000 x75140 FAX: +1 (508) 497-8500 black_david@emc.com Mobile: +1 (978) 394-7754 ---------------------------------------------------
Home Last updated: Tue Sep 04 01:05:34 2001 6315 messages in chronological order |