RE: Security Use Requirements (and security issue with iSCSI boot deployment)

To: "Glen Turner" <glen.turner@aarnet.edu.au>, <Black_David@emc.com>
Subject: RE: Security Use Requirements (and security issue with iSCSI boot deployment)
From: "Bernard Aboba" <aboba@internaut.com>
Date: Thu, 8 Feb 2001 21:45:55 -0800
Cc: <rja@inet.org>, <julian_satran@il.ibm.com>, <ips@ece.cmu.edu>, <biran@il.ibm.com>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain;charset="us-ascii"
Importance: Normal
In-Reply-To: <3A810307.EF2AA637@aarnet.edu.au>
Sender: owner-ips@ece.cmu.edu

>At the least it should be noted in Security Considerations that vendors
>should consider providing a mechanism for vendor-to-booter verification
>of a boot image.

Such a thing already exists. It's part of the PXE specification and
involves storing on the PC a public key that is used to sign the boot 
image. 

>It would be really nice if iSCSI-boot suggested a mechanism, so that
>it could be built into ROMs by manufacturers that are implementing
>iSCSI-boot and so that the hardware manufacturer could not use the
>mechanism to lock out alternative operating systems.

This capability is already built into PXE-compliant
boot ROMs. In fact, you may already have purchased a NIC that 
implements PXE!

I should note that there are some interesting issues that arise when 
using PXE to do secure iSCSI boot, but I'll leave that issue to another
discussion.

References:
- Re: Security Use Requirements (and security issue with iSCSI boot deployment)
  - From: Glen Turner <glen.turner@aarnet.edu.au>

Prev by Date: RE: Security Use Requirements
Next by Date: RE: Security Use Requirements
Prev by thread: Re: Security Use Requirements (and security issue with iSCSI boot deployment)
Next by thread: RE: Security Use Requirements
Index(es):
- Date
- Thread

Home

Last updated: Tue Sep 04 01:05:32 2001
6315 messages in chronological order