SORT BY:

LIST ORDER
THREAD
AUTHOR
SUBJECT


SEARCH

IPS HOME


    [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

    RE: Security Use Requirements



    > This implies that a given WWUI is authorized for use on only one
    > 5-tuple, and iSCSI needs to enforce this restriction. If a packet
    > for the wrong WWUI arrives on a 5-tuple then iSCSI needs to discard
    > it. In effect, this results in a hard mapping of WWUI to 5-tuple.
    > IPSEC can then be relied upon to make sure that traffic on a 5-tuple
    > is integrity protected (and confidential if requested) and was sent
    > by the entity that negotiated the IKE MM and QM SAs under which it
    > was sent.
    > 
    > Does this meet your needs?
    
    No, but it's close.  The 5-tuple actually has to link to an <initiator,
    target> pair of WWUIs because iSCSI has to support
     one initiator accessing multiple targets, and likewise for
    multiple initiators accessing the same target.  There's the
    additional complication of multiple TCP connections between
    the same initiator and target, although there should be no harm
    in those using either the same SA or different SAs, depending
    on which is more convenient to deal with the fact that the initiator
    port numbers will be different.  It would certainly be reasonable
    to require different initiators at the same IP address to use different
    SAs, and likewise for different targets at the same IP address.
    
    The reason offered for support of multiple iSCSI entities at the same
    IP address and TCP port has been easier passage through
    firewalls (only one port need be opened up, rather than one per
    target).  FWIW, my inclination is similar to David Robinson's -
    one target per <IP address, TCP port> seems to simplify things,
    but there have been strong opinions expressed about the need
    for multiple targets at a single <IP address, TCP port> for firewall
    reasons.
    
    Also, Julian wrote:
    
    > Current iSCSI has  a single mechanism that could be used for
    > key distribution - Kerberos.  What I am trying to do is completely
    > remove any need to deal with this subject within iSCSI
    > and to defer to specialized standards.
    > 
    > There many obvious reasons to do that.
    
    I think that's the right direction and consistent with the direction
    that we agreed to in Orlando.
    
    
    --David
    ---------------------------------------------------
    David L. Black, Senior Technologist
    EMC Corporation, 42 South St., Hopkinton, MA  01748
    +1 (508) 435-1000 x75140     FAX: +1 (508) 497-8500
    black_david@emc.com       Mobile: +1 (978) 394-7754
    ---------------------------------------------------
    
    


Home

Last updated: Tue Sep 04 01:05:32 2001
6315 messages in chronological order