|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: iSCSI Security rough consensusBlack_David@emc.com wrote: > > > Sure would be nice if we could make up our minds and just > > implement one mechanism. > > > > Here we have two mechanisms (iSCSI header/data integrity > > and ESP) which are both mandatory to implement and > > optional to use. Since ESP seems like a superset why not > > just have that and get rid of the "integrity only" iSCSI > > CRC mechanism. > > It sure would be nice, and in fact we had almost > exactly this discussion later in the evening as > part of the error recovery section of the agenda. > The fly in the ointment is that the HMAC integrity > algorithm that is at the core of ESP's integrity > support is considerably more expensive (software > or hardware) than a CRC, and this isn't likely > to improve as I understand things. I would expect > to see implementations with ESP completely in > software and visible performance impacts. That's just part of the reason behind having both. The other is that most implementations won't run IPsec end-to-end; either IPsec is provided in an external device, or even in an iSCSI gateway. In the latter case, all layers are removed and replaced, including iSCSI. Only the SCSI-level information (data, CDBs) go all the way end-to-end. Since iSCSI can CRC the SCSI-level data, it can provide the data integrity that will keep our customers happy. The use of the iSCSI CRC is the minimum requirement; adding the IPsec-level integrity check strengthens it, and can simplify error recovery over a not-so-good or untrusted network. -- Mark > > I really need to get the meeting minutes written up :-). > > Thanks, > --David > > --------------------------------------------------- > David L. Black, Senior Technologist > EMC Corporation, 42 South St., Hopkinton, MA 01748 > +1 (508) 435-1000 x75140 FAX: +1 (508) 497-8500 > black_david@emc.com Mobile: +1 (978) 394-7754 > --------------------------------------------------- -- Mark A. Bakke Cisco Systems mbakke@cisco.com 763.398.1054
Home Last updated: Tue Sep 04 01:04:47 2001 6315 messages in chronological order |