RE: Security Use Requirements

To: "Joshua Tseng" <jtseng@NishanSystems.com>
Subject: RE: Security Use Requirements
From: "Bernard Aboba" <aboba@internaut.com>
Date: Thu, 8 Feb 2001 21:56:25 -0800
Cc: <ips@ece.cmu.edu>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain;charset="Windows-1252"
Importance: Normal
In-Reply-To: <B300BD9620BCD411A366009027C21D9B18FD7B@ariel.nishansystems.com>
Sender: owner-ips@ece.cmu.edu

>TLS affords the capability of securely communicating through
>proxys.  

I think you mean NATs, no? Not sure how you'd proxy SSL
without terminating a TCP connection. 

>On the other hand, IPSec is a real pain to get through
>firewalls.

If you're talking strictly about a firewall, not a NAT, I'm
not sure why there'd be a difference. For IPSEC you need to
open up protocols 50/51, and UDP 500. For SSL/TLS you need
to open up a single TCP port for the application. Either way,
you probably need to restrict communication to iSCSI targets
with appropriate negotiation policies installed.

>If we decide that iSCSI doesn't need to go through
>firewalls, then we could let go of TLS.  

BTW, I'd note that the IPSEC WG is currently taking up the
issue of IPSEC address dependencies and that several proposals
have been put forward. So I wouldn't rule out being able to
traverse NATs with IPSEC at some point in the future. 
Unfortunately however, all of those proposals
interfere with the ability to do HW acceleration :(

References:
- RE: Security Use Requirements
  - From: Joshua Tseng <jtseng@NishanSystems.com>

Prev by Date: RE: Security Use Requirements (and security issue with iSCSI boot deployment)
Next by Date: RE: Security Use Requirements
Prev by thread: RE: Security Use Requirements
Next by thread: RE: Security Use Requirements
Index(es):
- Date
- Thread

Home

Last updated: Tue Sep 04 01:05:32 2001
6315 messages in chronological order