RE: Security Use Requirements

["Bernard Aboba" <aboba@internaut.com>]

>>>I think there is a much easier way than the two methods you describe
below.
>>>If the iSCSI authentication is taking place using the SA negotiated by
IKE,
>>>then you have an implicit relationship between IKE and iSCSI
authentication,
>>>right?

>>That would be fine if there is only one iSCSI authentication per IKE QM
>>SA. Is that realistic?

>I think there is only one per connection.
>But by carefull handling at both ends the connection should be able to
>share the same context.

If each iSCSI authentication corresponds to a different initiator port
number, then there is indeed only one per connection (IKE QM SA). The
IP header and IPSEC SPI then link back to the IKE QM SA which in turn
has a link to the IKE MM SA. Thus it is possible to link a given
packet back to the identity used in the IKE MM negotiation.

This implies that a given WWUI is authorized for use on only one
5-tuple, and iSCSI needs to enforce this restriction. If a packet
for the wrong WWUI arrives on a 5-tuple then iSCSI needs to discard
it. In effect, this results in a hard mapping of WWUI to 5-tuple.
IPSEC can then be relied upon to make sure that traffic on a 5-tuple
is integrity protected (and confidential if requested) and was sent
by the entity that negotiated the IKE MM and QM SAs under which it
was sent.

Does this meet your needs?