|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: iSCSI Security rough consensusSee below: > > By comparison to full IPSec with IKE, using > SRP to key ESP does not improve security. > The underlying issue is IKE complexity (i.e., > the code and effort required to implement it). > > Hence the rationale for using SRP to key > ESP is that it provides dynamic key > generation without implementing IKE -- this > is an improvement over pre-shared keys at > a much lower code and effort cost for a > single-box (i.e., no external security gateway) > implementation. What I think I'm hearing you say is that you are evaluating whether to REQUIRE SRP keying of ESP/IPSec because its easier to do than IKE. If so, then in the first place, I don't think that is an appropriate justification for a requirement. In the second place, I'm not sure I even agree with that statement--there are many off-the-shelf IKE implementations which can be easily leveraged for iSCSI with little or no modification. IKE doesn't need to be conscious of the application (i.e., iSCSI) being protected by IPSec. I also agree with Bernard that this issue is not specific to iSCSI, and belongs in the security WG. Josh > > Thanks, > --David > > --------------------------------------------------- > David L. Black, Senior Technologist > EMC Corporation, 42 South St., Hopkinton, MA 01748 > +1 (508) 435-1000 x75140 FAX: +1 (508) 497-8500 > black_david@emc.com Mobile: +1 (978) 394-7754 > --------------------------------------------------- >
Home Last updated: Tue Sep 04 01:04:47 2001 6315 messages in chronological order |