RE: iSCSI Security

To: ips@ece.cmu.edu
Subject: RE: iSCSI Security
From: Joshua Tseng <jtseng@NishanSystems.com>
Date: Mon, 5 Mar 2001 22:56:15 -0800
Content-Type: text/plain;charset="iso-8859-1"
Sender: owner-ips@ece.cmu.edu

Julian,

See below:

> 
> Josh,
> 
> We don't want to deal with any of the authentication schemes 
> on which we
> have to keep inventing things and interfaces.

The public key algorithms are already well documented.  I don't
think we're inventing anything new.  See RFC 2437 for RSA and
FIPS-186-2 for DSA.  All we need are some text keys to carry the
verification signatures.

> 
> Kerberos and SRP have everything needed, including being 
> implemented on
> widely available platforms, and beyond them IPSec handles everything.

Many consider Kerberos to be less than secure.  It is yesterday's
technology, and it does not scale well, since it requires manual
distribution and coordination of shared secrets between the
server and its users.  Consequently, the kerberos server is a headache
to set up and maintain, especially for a large number of clients.
Furthermore, it is also a single point of vulnerability, in contrast
to a PKI infrastructure which can rely upon hierarchies of certificate
authorities.

IPSec is optimized to secure IP endpoints.  It will not verify
identities (i.e., WWUI's) unless you implement ISAKMP's optional
features, which may be problematic if you're using an off-the-shelf
ISAKMP implementation.

> 
> Obviously vendors can add anything (including public key).

If you do not add the text keys to negotiate public key authentication,
then there will be no public key method.

I don't think I'm asking for very much--just that you reinstate the
previous public key method from the previous draft.  This will make
key distribution MUCH easier, safer, and scalable.

Regards,
Josh

> 
> Regards,
> Julo
> 
> Joshua Tseng <jtseng@NishanSystems.com> on 05/03/2001 20:53:05
> 
> Please respond to Joshua Tseng <jtseng@NishanSystems.com>
> 
> To:   Julian Satran/Haifa/IBM@IBMIL
> cc:   ips@ece.cmu.edu
> Subject:  iSCSI Security
> 
> 
> 
> 
> Julian,
> 
> Why was the public key authentication method removed from version -05?
> Are you sure you want iSCSI to forsake the benefits of public key
> cryptography?  I strongly suggest it be reinstated as one of the
> authentication
> methods listed in page 95.
> 
> Josh
> 
> 
> 
> 
>

Prev by Date: RE: I-D ACTION:draft-cavanna-iscsi-crc-vs-cksum-00.txt
Next by Date: RE: iSCSI Security
Prev by thread: Re: iSCSI Security
Next by thread: RE: iSCSI Security
Index(es):
- Date
- Thread

Home

Last updated: Tue Sep 04 01:05:26 2001
6315 messages in chronological order