SORT BY:

LIST ORDER
THREAD
AUTHOR
SUBJECT


SEARCH

IPS HOME


    [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

    RE: Security Use Requirements



    >is that it's necessary to ensure that there isn't a gap between iSCSI
    >authentication and IPSec authentication/integrity/confidentiality that
    >would allow the communication to be attacked without breaking IPSec.
    
    I think you're basically asking to make sure that an given IPSEC-protected
    iSCSI packet originated from the same entity that completed the 
    iSCSI authentication, no?
    
    In IPSEC there is a similar issue in that you want to make sure that a
    given IPSEC packet originated from the same entity with which you
    negotiated the IKE MM and QM SAs. The packet identity is tied back to the
    IKE-provided identity via the IP header and SPI, and the claim of
    identity is proven by verifying the integrity/authenticity of the
    packet, thereby verifying that the entity has posession of the 
    key previously negotiated within IKE. 
    
    So, in the case of iSCSI authentication, you have a claim of identity,
    and a proof of identity. To link this to an IPSEC packet, you have
    a few choices:
    
    1. Somehow link the identity claimed in the iSCSI authentication to
    information exchanged within the IKE negotiation.
    
    If you can link the iSCSI authentication to the IKE MM and QM SAs, 
    you will have a link to the IPSEC packet via the IP header and SPI. 
    
    Note that "information exchanged" may constitute more than just
    the claimed IKE identity. It could include information within the
    cert, for example.
    
    It is best to accomplish this without trying to invent new
    identity payloads within IKE. 
    
    2. Somehow link the proof of identity within iSCSI authentication
    to the proof of identity made within IKE. For example, if a key
    is generated within iSCSI authentication, then this key can be
    used as a shared secret within IKE. 
    
    However, in order to make this work, you will also need to link
    the iSCSI authentication claim of identity to the claim of
    identity made within IKE. Note that this does not mean that
    the claims are identical -- merely that they can be bound in
    a secure way. 
    


Home

Last updated: Tue Sep 04 01:05:32 2001
6315 messages in chronological order