SORT BY:

LIST ORDER
THREAD
AUTHOR
SUBJECT


SEARCH

IPS HOME


    [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

    RE: Security Use Requirements



    David,
    
    The GSS-API supports efforts promoted by Julian.  Privacy at the SAN level
    will be expensive and, if done in software, appear broken.  A
    compression-encryption then signed with a digest will be very
    computationally intensive and increase latency.  Just a signature would
    provide integrity.  There are many mediums and applications that can provide
    privacy as an add-on feature at the file level usable as required without
    impacting the entire operation of the SAN. If the media provides protection,
    then adding privacy at the SAN becomes redundant and may run into export
    restrictions.  A SAN in Germany will not be useable by someone in Spain
    because the fiber travels through France.
    
    With all of this security, we have yet to discuss the back door.  How is the
    user authorized?  The SCSI controller tells the user but where does the
    controller discovery this information?  Who holds the key for the back door
    and how does one go about changing the locks.  Most people still have
    windows in their homes at the cost of privacy.  If it becomes important,
    there are curtains that can be drawn over the window and the sound of
    breaking glass is a bad signature.  Privacy applications, curtains, can work
    on any drive and not just network drives.
    
    Doug
    
    > Bernard Aboba wrote:
    > > >iSCSI envisions and allows multiple targets behind a single IP
    > > >address and TCP port.  The targets are named (via WWUIs) in a
    > > >fashion that neither IPsec nor TLS can be expected to understand
    > >
    > > Let me make sure I understand this. You will have multiple
    > > SCSI authentications to the same target IP address and port.
    > > Does the initiator port vary between them or is that the
    > > same too?
    >
    > I haven't heard anyone strongly request this. Hopefully
    > another body will handle this within the SCSI layer.  If
    > there is demand I would suggest looking at how the NFSv4 WG
    > handled this using GSSAPI.  But I personally think that is
    > overkill for iSCSI.
    >
    > 	-David
    >
    
    


Home

Last updated: Tue Sep 04 01:05:32 2001
6315 messages in chronological order