|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: iSCSI Security rough consensusI read this as violent agreement with what I posted. Thanks, --David > -----Original Message----- > From: Joshua Tseng [SMTP:jtseng@nishansystems.com] > Sent: Friday, May 04, 2001 3:30 PM > To: 'Black_David@emc.com'; ips@ece.cmu.edu > Subject: RE: iSCSI Security rough consensus > > See below: > > > > By comparison to full IPSec with IKE, using > > SRP to key ESP does not improve security. > > The underlying issue is IKE complexity (i.e., > > the code and effort required to implement it). > > > > Hence the rationale for using SRP to key > > ESP is that it provides dynamic key > > generation without implementing IKE -- this > > is an improvement over pre-shared keys at > > a much lower code and effort cost for a > > single-box (i.e., no external security gateway) > > implementation. > > What I think I'm hearing you say is that you > are evaluating whether to REQUIRE SRP keying of > ESP/IPSec because its easier to do than IKE. > If so, then in the first place, I don't think that > is an appropriate justification for a requirement. > In the second place, I'm not sure I even agree with > that statement--there are many off-the-shelf IKE > implementations which can be easily leveraged for > iSCSI with little or no modification. IKE doesn't > need to be conscious of the application (i.e., iSCSI) > being protected by IPSec. > > I also agree with Bernard that this issue is not > specific to iSCSI, and belongs in the security WG. > > Josh > > > > Thanks, > > --David > > > > --------------------------------------------------- > > David L. Black, Senior Technologist > > EMC Corporation, 42 South St., Hopkinton, MA 01748 > > +1 (508) 435-1000 x75140 FAX: +1 (508) 497-8500 > > black_david@emc.com Mobile: +1 (978) 394-7754 > > --------------------------------------------------- > >
Home Last updated: Tue Sep 04 01:04:47 2001 6315 messages in chronological order |