Re: iSCSI Security rough consensus

To: Black_David@emc.com
Subject: Re: iSCSI Security rough consensus
From: Mark Bakke <mbakke@cisco.com>
Date: Fri, 04 May 2001 15:03:31 -0500
CC: someshg@yahoo.com, ips@ece.cmu.edu
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset=us-ascii
References: <0F31E5C394DAD311B60C00E029101A070801550E@corpmx9.isus.emc.com>
Sender: owner-ips@ece.cmu.edu

Black_David@emc.com wrote:
> 
> > Sure would be nice if we could make up our minds and just
> >  implement one mechanism.
> >
> >   Here we have two mechanisms (iSCSI header/data integrity
> >   and ESP) which are both mandatory to implement and
> >   optional to use. Since ESP seems like a superset why not
> >   just have that and get rid of the "integrity only" iSCSI
> >   CRC mechanism.
> 
> It sure would be nice, and in fact we had almost
> exactly this discussion later in the evening as
> part of the error recovery section of the agenda.
> The fly in the ointment is that the HMAC integrity
> algorithm that is at the core of ESP's integrity
> support is considerably more expensive (software
> or hardware) than a CRC, and this isn't likely
> to improve as I understand things.  I would expect
> to see implementations with ESP completely in
> software and visible performance impacts.

That's just part of the reason behind having both.  The other is
that most implementations won't run IPsec end-to-end; either IPsec
is provided in an external device, or even in an iSCSI gateway.
In the latter case, all layers are removed and replaced, including
iSCSI.  Only the SCSI-level information (data, CDBs) go all the
way end-to-end.  Since iSCSI can CRC the SCSI-level data, it can
provide the data integrity that will keep our customers happy.

The use of the iSCSI CRC is the minimum requirement; adding the
IPsec-level integrity check strengthens it, and can simplify error
recovery over a not-so-good or untrusted network.

--
Mark

> 
> I really need to get the meeting minutes written up :-).
> 
> Thanks,
> --David
> 
> ---------------------------------------------------
> David L. Black, Senior Technologist
> EMC Corporation, 42 South St., Hopkinton, MA  01748
> +1 (508) 435-1000 x75140     FAX: +1 (508) 497-8500
> black_david@emc.com       Mobile: +1 (978) 394-7754
> ---------------------------------------------------

-- 
Mark A. Bakke
Cisco Systems
mbakke@cisco.com
763.398.1054

References:
- RE: iSCSI Security rough consensus
  - From: Black_David@emc.com

Prev by Date: RE: iSCSI : login keys & mode page settings
Next by Date: Re: iSCSI: Nailing down CRC-32C
Prev by thread: RE: iSCSI Security rough consensus
Next by thread: RE: iSCSI Security rough consensus
Index(es):
- Date
- Thread

Home

Last updated: Tue Sep 04 01:04:47 2001
6315 messages in chronological order