SORT BY:

LIST ORDER
THREAD
AUTHOR
SUBJECT


SEARCH

IPS HOME


    [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

    RE: Security Use Requirements



    >>>I think there is a much easier way than the two methods you describe
    below.
    >>>If the iSCSI authentication is taking place using the SA negotiated by
    IKE,
    >>>then you have an implicit relationship between IKE and iSCSI
    authentication,
    >>>right?
    
    >>That would be fine if there is only one iSCSI authentication per IKE QM
    >>SA. Is that realistic?
    
    >I think there is only one per connection.
    >But by carefull handling at both ends the connection should be able to
    >share the same context.
    
    If each iSCSI authentication corresponds to a different initiator port
    number, then there is indeed only one per connection (IKE QM SA). The
    IP header and IPSEC SPI then link back to the IKE QM SA which in turn
    has a link to the IKE MM SA. Thus it is possible to link a given
    packet back to the identity used in the IKE MM negotiation.
    
    This implies that a given WWUI is authorized for use on only one
    5-tuple, and iSCSI needs to enforce this restriction. If a packet
    for the wrong WWUI arrives on a 5-tuple then iSCSI needs to discard
    it. In effect, this results in a hard mapping of WWUI to 5-tuple.
    IPSEC can then be relied upon to make sure that traffic on a 5-tuple
    is integrity protected (and confidential if requested) and was sent
    by the entity that negotiated the IKE MM and QM SAs under which it
    was sent.
    
    Does this meet your needs?
    
    
    


Home

Last updated: Tue Sep 04 01:05:32 2001
6315 messages in chronological order