RE: iSCSI Security rough consensus

[Black_David@emc.com]

> Does this consensus mean that the iSCSI header and data CRCs
> are no longer part of the specification, or are we
> still requiring one or the other or both?

Repeat after me: "CRCs are not security mechanisms" ;-)
;-), and see the previous email on this list about the
consequences of WEP trying to use CRCs in this fashion.

Yes, CRCs are still required for data integrity (e.g.,
when ESP is not present).  If one knows that ESP with
its keyed HMAC is being used in the stack between TCP and
IP, then it would make sense not to use CRCs at the iSCSI
level, hence they're required to implement, but configurable
to use (which will also be the case for ESP).  This may
not always be possible, as one of the things mentioned
in the meeting is that if the IPSec implementation is
independent of iSCSI (e.g., supplied as part of the OS),
there's no general standard way for iSCSI to figure out
that IPSec is there or what it's doing to traffic on any
particular iSCSI connection.

Thanks,
--David

---------------------------------------------------
David L. Black, Senior Technologist
EMC Corporation, 42 South St., Hopkinton, MA  01748
+1 (508) 435-1000 x75140     FAX: +1 (508) 497-8500
black_david@emc.com       Mobile: +1 (978) 394-7754
---------------------------------------------------