SORT BY:

LIST ORDER
THREAD
AUTHOR
SUBJECT


SEARCH

IPS HOME


    [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

    RE: iSCSI Security rough consensus



    Here is a paper by well-known authors that supports Mark's reasoning that
    the end-to-end iSCSI check is indispensable even when IPsec is on ....
    
    Jonathan Stone and Craig artridge in "When the CRC and TCP checksum
    disagree" study the sources of errors that are not caught by link level
    checks and that therefore stress a higher layer error check mechansim. Such
    errors are quite prevalent and one signifcant source of such errors is the
    end-host itself. The authors emphasize that "hardware must not be trusted"
    and that "many encryption solutions such as IPsec do not provide additional
    (over existing checks) protection because the encryption is applied too late
    in the transmission process, often after the data has passed through a DMA
    engine. Rather the application must add the checksum before handing its data
    to TCP (ala SSL)". The authors recommend that "for truly valuable data (in
    my opinion all data handled by iSCSI) the application should add a stronger
    application-level checksum".
    
    Vince
    
    |-----Original Message-----
    |From: Mark Bakke [mailto:mbakke@cisco.com]
    |Sent: Friday, May 04, 2001 1:04 PM
    |To: Black_David@emc.com
    |Cc: someshg@yahoo.com; ips@ece.cmu.edu
    |Subject: Re: iSCSI Security rough consensus
    |
    |
    |Black_David@emc.com wrote:
    |> 
    |> > Sure would be nice if we could make up our minds and just
    |> >  implement one mechanism.
    |> >
    |> >   Here we have two mechanisms (iSCSI header/data integrity
    |> >   and ESP) which are both mandatory to implement and
    |> >   optional to use. Since ESP seems like a superset why not
    |> >   just have that and get rid of the "integrity only" iSCSI
    |> >   CRC mechanism.
    |> 
    |> It sure would be nice, and in fact we had almost
    |> exactly this discussion later in the evening as
    |> part of the error recovery section of the agenda.
    |> The fly in the ointment is that the HMAC integrity
    |> algorithm that is at the core of ESP's integrity
    |> support is considerably more expensive (software
    |> or hardware) than a CRC, and this isn't likely
    |> to improve as I understand things.  I would expect
    |> to see implementations with ESP completely in
    |> software and visible performance impacts.
    |
    |That's just part of the reason behind having both.  The other is
    |that most implementations won't run IPsec end-to-end; either IPsec
    |is provided in an external device, or even in an iSCSI gateway.
    |In the latter case, all layers are removed and replaced, including
    |iSCSI.  Only the SCSI-level information (data, CDBs) go all the
    |way end-to-end.  Since iSCSI can CRC the SCSI-level data, it can
    |provide the data integrity that will keep our customers happy.
    |
    |The use of the iSCSI CRC is the minimum requirement; adding the
    |IPsec-level integrity check strengthens it, and can simplify error
    |recovery over a not-so-good or untrusted network.
    |
    |--
    |Mark
    |
    |> 
    |> I really need to get the meeting minutes written up :-).
    |> 
    |> Thanks,
    |> --David
    |> 
    |> ---------------------------------------------------
    |> David L. Black, Senior Technologist
    |> EMC Corporation, 42 South St., Hopkinton, MA  01748
    |> +1 (508) 435-1000 x75140     FAX: +1 (508) 497-8500
    |> black_david@emc.com       Mobile: +1 (978) 394-7754
    |> ---------------------------------------------------
    |
    |-- 
    |Mark A. Bakke
    |Cisco Systems
    |mbakke@cisco.com
    |763.398.1054
    |
    


Home

Last updated: Tue Sep 04 01:04:46 2001
6315 messages in chronological order