RE: Security Use Requirements

To: aboba@internaut.com, julian_satran@il.ibm.com
Subject: RE: Security Use Requirements
From: Black_David@emc.com
Date: Mon, 12 Feb 2001 01:43:05 -0500
Cc: jtseng@NishanSystems.com, ips@ece.cmu.edu
Content-Type: text/plain
Sender: owner-ips@ece.cmu.edu

> This implies that a given WWUI is authorized for use on only one
> 5-tuple, and iSCSI needs to enforce this restriction. If a packet
> for the wrong WWUI arrives on a 5-tuple then iSCSI needs to discard
> it. In effect, this results in a hard mapping of WWUI to 5-tuple.
> IPSEC can then be relied upon to make sure that traffic on a 5-tuple
> is integrity protected (and confidential if requested) and was sent
> by the entity that negotiated the IKE MM and QM SAs under which it
> was sent.
> 
> Does this meet your needs?

No, but it's close.  The 5-tuple actually has to link to an <initiator,
target> pair of WWUIs because iSCSI has to support
 one initiator accessing multiple targets, and likewise for
multiple initiators accessing the same target.  There's the
additional complication of multiple TCP connections between
the same initiator and target, although there should be no harm
in those using either the same SA or different SAs, depending
on which is more convenient to deal with the fact that the initiator
port numbers will be different.  It would certainly be reasonable
to require different initiators at the same IP address to use different
SAs, and likewise for different targets at the same IP address.

The reason offered for support of multiple iSCSI entities at the same
IP address and TCP port has been easier passage through
firewalls (only one port need be opened up, rather than one per
target).  FWIW, my inclination is similar to David Robinson's -
one target per <IP address, TCP port> seems to simplify things,
but there have been strong opinions expressed about the need
for multiple targets at a single <IP address, TCP port> for firewall
reasons.

Also, Julian wrote:

> Current iSCSI has  a single mechanism that could be used for
> key distribution - Kerberos.  What I am trying to do is completely
> remove any need to deal with this subject within iSCSI
> and to defer to specialized standards.
> 
> There many obvious reasons to do that.

I think that's the right direction and consistent with the direction
that we agreed to in Orlando.

--David
---------------------------------------------------
David L. Black, Senior Technologist
EMC Corporation, 42 South St., Hopkinton, MA  01748
+1 (508) 435-1000 x75140     FAX: +1 (508) 497-8500
black_david@emc.com       Mobile: +1 (978) 394-7754
---------------------------------------------------

Prev by Date: RE: Security Use Requirements
Next by Date: RE: Security Use Requirements
Prev by thread: RE: Security Use Requirements
Next by thread: RE: Security Use Requirements
Index(es):
- Date
- Thread

Home

Last updated: Tue Sep 04 01:05:32 2001
6315 messages in chronological order