SORT BY:

LIST ORDER
THREAD
AUTHOR
SUBJECT


SEARCH

IPS HOME


    [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

    Re: iSCSI Security rough consensus



    Black_David@emc.com wrote:
    > 
    > > Sure would be nice if we could make up our minds and just
    > >  implement one mechanism.
    > >
    > >   Here we have two mechanisms (iSCSI header/data integrity
    > >   and ESP) which are both mandatory to implement and
    > >   optional to use. Since ESP seems like a superset why not
    > >   just have that and get rid of the "integrity only" iSCSI
    > >   CRC mechanism.
    > 
    > It sure would be nice, and in fact we had almost
    > exactly this discussion later in the evening as
    > part of the error recovery section of the agenda.
    > The fly in the ointment is that the HMAC integrity
    > algorithm that is at the core of ESP's integrity
    > support is considerably more expensive (software
    > or hardware) than a CRC, and this isn't likely
    > to improve as I understand things.  I would expect
    > to see implementations with ESP completely in
    > software and visible performance impacts.
    
    That's just part of the reason behind having both.  The other is
    that most implementations won't run IPsec end-to-end; either IPsec
    is provided in an external device, or even in an iSCSI gateway.
    In the latter case, all layers are removed and replaced, including
    iSCSI.  Only the SCSI-level information (data, CDBs) go all the
    way end-to-end.  Since iSCSI can CRC the SCSI-level data, it can
    provide the data integrity that will keep our customers happy.
    
    The use of the iSCSI CRC is the minimum requirement; adding the
    IPsec-level integrity check strengthens it, and can simplify error
    recovery over a not-so-good or untrusted network.
    
    --
    Mark
    
    > 
    > I really need to get the meeting minutes written up :-).
    > 
    > Thanks,
    > --David
    > 
    > ---------------------------------------------------
    > David L. Black, Senior Technologist
    > EMC Corporation, 42 South St., Hopkinton, MA  01748
    > +1 (508) 435-1000 x75140     FAX: +1 (508) 497-8500
    > black_david@emc.com       Mobile: +1 (978) 394-7754
    > ---------------------------------------------------
    
    -- 
    Mark A. Bakke
    Cisco Systems
    mbakke@cisco.com
    763.398.1054
    


Home

Last updated: Tue Sep 04 01:04:47 2001
6315 messages in chronological order