|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: Security Use Requirements>>>I think there is a much easier way than the two methods you describe below. >>>If the iSCSI authentication is taking place using the SA negotiated by IKE, >>>then you have an implicit relationship between IKE and iSCSI authentication, >>>right? >>That would be fine if there is only one iSCSI authentication per IKE QM >>SA. Is that realistic? >I think there is only one per connection. >But by carefull handling at both ends the connection should be able to >share the same context. If each iSCSI authentication corresponds to a different initiator port number, then there is indeed only one per connection (IKE QM SA). The IP header and IPSEC SPI then link back to the IKE QM SA which in turn has a link to the IKE MM SA. Thus it is possible to link a given packet back to the identity used in the IKE MM negotiation. This implies that a given WWUI is authorized for use on only one 5-tuple, and iSCSI needs to enforce this restriction. If a packet for the wrong WWUI arrives on a 5-tuple then iSCSI needs to discard it. In effect, this results in a hard mapping of WWUI to 5-tuple. IPSEC can then be relied upon to make sure that traffic on a 5-tuple is integrity protected (and confidential if requested) and was sent by the entity that negotiated the IKE MM and QM SAs under which it was sent. Does this meet your needs?
Home Last updated: Tue Sep 04 01:05:32 2001 6315 messages in chronological order |