SORT BY:

LIST ORDER
THREAD
AUTHOR
SUBJECT


SEARCH

IPS HOME


    [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

    RE: iSCSI Security rough consensus



    See below:
    > 
    > By comparison to full IPSec with IKE, using
    > SRP to key ESP does not improve security.
    > The underlying issue is IKE complexity (i.e.,
    > the code and effort required to implement it).
    > 
    > Hence the rationale for using SRP to key
    > ESP is that it provides dynamic key
    > generation without implementing IKE -- this
    > is an improvement over pre-shared keys at
    > a much lower code and effort cost for a
    > single-box (i.e., no external security gateway)
    > implementation.
    
    What I think I'm hearing you say is that you
    are evaluating whether to REQUIRE SRP keying of
    ESP/IPSec because its easier to do than IKE.
    If so, then in the first place, I don't think that
    is an appropriate justification for a requirement.
    In the second place, I'm not sure I even agree with
    that statement--there are many off-the-shelf IKE
    implementations which can be easily leveraged for
    iSCSI with little or no modification.  IKE doesn't
    need to be conscious of the application (i.e., iSCSI)
    being protected by IPSec.
    
    I also agree with Bernard that this issue is not
    specific to iSCSI, and belongs in the security WG.
    
    Josh
    > 
    > Thanks,
    > --David
    > 
    > ---------------------------------------------------
    > David L. Black, Senior Technologist
    > EMC Corporation, 42 South St., Hopkinton, MA  01748
    > +1 (508) 435-1000 x75140     FAX: +1 (508) 497-8500
    > black_david@emc.com       Mobile: +1 (978) 394-7754
    > ---------------------------------------------------
    > 
    


Home

Last updated: Tue Sep 04 01:04:47 2001
6315 messages in chronological order