|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: Security Use Requirements> This implies that a given WWUI is authorized for use on only one > 5-tuple, and iSCSI needs to enforce this restriction. If a packet > for the wrong WWUI arrives on a 5-tuple then iSCSI needs to discard > it. In effect, this results in a hard mapping of WWUI to 5-tuple. > IPSEC can then be relied upon to make sure that traffic on a 5-tuple > is integrity protected (and confidential if requested) and was sent > by the entity that negotiated the IKE MM and QM SAs under which it > was sent. > > Does this meet your needs? No, but it's close. The 5-tuple actually has to link to an <initiator, target> pair of WWUIs because iSCSI has to support one initiator accessing multiple targets, and likewise for multiple initiators accessing the same target. There's the additional complication of multiple TCP connections between the same initiator and target, although there should be no harm in those using either the same SA or different SAs, depending on which is more convenient to deal with the fact that the initiator port numbers will be different. It would certainly be reasonable to require different initiators at the same IP address to use different SAs, and likewise for different targets at the same IP address. The reason offered for support of multiple iSCSI entities at the same IP address and TCP port has been easier passage through firewalls (only one port need be opened up, rather than one per target). FWIW, my inclination is similar to David Robinson's - one target per <IP address, TCP port> seems to simplify things, but there have been strong opinions expressed about the need for multiple targets at a single <IP address, TCP port> for firewall reasons. Also, Julian wrote: > Current iSCSI has a single mechanism that could be used for > key distribution - Kerberos. What I am trying to do is completely > remove any need to deal with this subject within iSCSI > and to defer to specialized standards. > > There many obvious reasons to do that. I think that's the right direction and consistent with the direction that we agreed to in Orlando. --David --------------------------------------------------- David L. Black, Senior Technologist EMC Corporation, 42 South St., Hopkinton, MA 01748 +1 (508) 435-1000 x75140 FAX: +1 (508) 497-8500 black_david@emc.com Mobile: +1 (978) 394-7754 ---------------------------------------------------
Home Last updated: Tue Sep 04 01:05:32 2001 6315 messages in chronological order |