SORT BY:

LIST ORDER
THREAD
AUTHOR
SUBJECT


SEARCH

IPS HOME


    [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

    RE: Security Use Requirements



    > Question:  Does your "mandatory-to-implement" mean
    > "mandatory-to-implement-on-the-same-box", or 
    > "mandatory-to-implement-on-the-same-or-different-box"?
    
    Mandatory-to-implement means "how the protocol behaves
    on the wire" -- i.e., if one party starts to use a mandatory-to-
    implement mechanism, the other party must respond
    appropriately.  Whether 1, 5, or 15 boxes are used 
    is not something a protocol spec should care about,
    although if more than one box is used, whoever assembles
    those boxes will have to deal with the security issues
    that arise on the interfaces among the boxes.
    
    > IPSec security gateways are widely available now, from
    > many different vendors.  Are you ruling out their use
    > to fulfill the security requirement?
    
    I'm definitely not ruling out such gateways, but I want to make
    sure everyone understands that there will probably be interactions
    between such gateways and iSCSI in the area of naming - we
    are going to have to say something about how IPSec's notion
    of identities (e.g., X.509 certificates, and in the SAD/SPD) match
    up with iSCSI's notions (i.e., initiator and target names).
    If the gateway is completely independent of the iSCSI system,
    it'll fall to some higher level of management software or possibly
    manual configuration to make sure that the gateway and the
    corresponding iSCSI system(s) are configured consistently.
    
    > In Orlando the agreement was that authentication digests can be left to
    > specialized protocols (IPsec  and TLS) and iSCSI
    > is not mandated to have them specified outside such a protocol. 
    
    Good thing, as there are lots of ways to get authentication protocols
    and the related integrity digests subtly wrong.
    
    > The issue you raised - can now be translated should we make IPsec or TLS
    > mandatory to implement?
    
    That is correct - we are headed in the direction of making at least one of
    those two mandatory to implement.  Note that it will NOT be acceptable to
    say "implement at least one of these" and let implementers choose which
    one because then an implementation that chose IPSec will not interoperate
    with one that chose TLS (which is a wrong answer).
    
    --David
    ---------------------------------------------------
    David L. Black, Senior Technologist
    EMC Corporation, 42 South St., Hopkinton, MA  01748
    +1 (508) 435-1000 x75140     FAX: +1 (508) 497-8500
    black_david@emc.com       Mobile: +1 (978) 394-7754
    ---------------------------------------------------
    
    


Home

Last updated: Tue Sep 04 01:05:34 2001
6315 messages in chronological order