|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: Security Use Requirements> > It isn't enough to just point to existing security mechanisms and > > say "use these". It's necessary to say how to use them with > > the protocol and what other assumptions must be true in order > > to achieve the desired security properties - some of these > > assumptions will be requirements on other components/protocols > > in the environment. > > Thanks, and the point I'm trying to make is that iSCSI and IPSec/IKE can > pretty much work independently, with no compromise to security. Having > IPSec and/or IKE become involved in iSCSI (or vice-versa) will increase > complexity while adding little additional value. I think Josh and I are in violent agreement on this. In particular, I don't see any need to put WWUIs into IPSec/IKE or X.509 certificates. Mechanisms like iSNS can handle the mapping between the various sort of identities, provided that iSNS is suitably secure. OTOH, there's a lot of work needed on the security text in the current iSCSI draft -- for example, Josh describes certificates and iSNS as being able to prevent certain attacks on key distribution, but the current iSCSI draft is basically silent on both subjects, and in particular does not describe how one party in an iSCSI authentication interaction gets its hands on the other's certificate to check it (which is generally a good thing to be able to do when certificates are used). The specific answer to: > The point is that IPSec provides the PER PACKET data > integrity/authentication and if desired, encryption. The iSCSI login > process provides authentication AND authorization of the communicating > entities. What more do you need? is that it's necessary to ensure that there isn't a gap between iSCSI authentication and IPSec authentication/integrity/confidentiality that would allow the communication to be attacked without breaking IPSec. Thanks, --David --------------------------------------------------- David L. Black, Senior Technologist EMC Corporation, 42 South St., Hopkinton, MA 01748 +1 (508) 435-1000 x75140 FAX: +1 (508) 497-8500 black_david@emc.com Mobile: +1 (978) 394-7754 ---------------------------------------------------
Home Last updated: Tue Sep 04 01:05:33 2001 6315 messages in chronological order |