RE: Security Use Requirements

To: <Black_David@emc.com>, <jtseng@NishanSystems.com>
Subject: RE: Security Use Requirements
From: "Bernard Aboba" <aboba@internaut.com>
Date: Fri, 9 Feb 2001 08:32:31 -0800
Cc: <ips@ece.cmu.edu>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain;charset="iso-8859-1"
Importance: Normal
In-Reply-To: <0F31E5C394DAD311B60C00E029101A0704101505@corpmx9.isus.emc.com>
Sender: owner-ips@ece.cmu.edu

>iSCSI envisions and allows multiple targets behind a single IP
>address and TCP port.  The targets are named (via WWUIs) in a
>fashion that neither IPsec nor TLS can be expected to understand

Let me make sure I understand this. You will have multiple
SCSI authentications to the same target IP address and port. 
Does the initiator port vary between them or is that the
same too?

If the same initiator port is used, I think there
will be a problem. How would the conversants know which IPSEC QM SA 
to use to send a particular transaction? On outbound, from 
the point of view of the IPSEC driver, it sees a packet 
come down with a given IP and transport header. Based on this
information, it decides which IKE QM SA the packet belongs
to, if any. So the driver has no notion of WWUIs, and needs
to make its decision purely based on the IP and transport
headers. If there isn't anything in there that is different
between the QM SAs, the driver will pick one, but it might
not be the right one.

Follow-Ups:
- Re: Security Use Requirements
  - From: David Robinson <David.Robinson@EBay.Sun.COM>

References:
- RE: Security Use Requirements
  - From: Black_David@emc.com

Prev by Date: RE: Security Use Requirements (and security issue with iSCSI boot deployment)
Next by Date: RE: ISCSI: Immediate data extending beyond a single PDU
Prev by thread: RE: Security Use Requirements
Next by thread: Re: Security Use Requirements
Index(es):
- Date
- Thread

Home

Last updated: Tue Sep 04 01:05:32 2001
6315 messages in chronological order