|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: iSCSI Security rough consensusOn Fri, May 04, 2001 at 08:05:57PM -0700, Joshua Tseng wrote: > > I don't know the Security AD's, but if they had this reaction > as you describe, my question to them would be why did they invent > tunnel mode and security gateways in the first place? If they > wanted all protocols to have end-to-end protection as a REQUIREMENT, > shouldn't they have just stopped with transport mode? That way, it's > end-to-end IPSec or else use something like TLS. The main reason for things like tunnel mode and security gateways are for legacy protocols and legacy implementations. All new protocols are supposed to worry about security in an end-to-end fashion. Specifying security gateways doesn't satisfy this requirement. The goal here is to provide something better than the current situation, where most people are using firewalls, and completely insecure protocols such as NFS. This is also known as the "hard crunchy exterior surrounding a soft, chewing interior", and it's pretty clear this isn't sufficient. New IETF protocols need to be secure even if you're not surrounded by a firewall, and are connected directly to the big, bad, Internet. The current situation vis-a-vis security is a really bad one; witness recent reports about people scanning Silicon Valley for open 802.11 networks, and finding ways of accessing corporate intranets for all sorts of very embarassed companies. And then there are the stories about machines running, PC Anywhere, backdoor modem connections that the IS department didn't know about, home DSL connections to the corporate intranet that were cross-connected with the user's cable modem, etc., etc., etc. So the answer to your question is that specifying a completely insecure protocol, and saying it's secure if you put a security gateway in front of it, isn't going to satisfy the IESG for new protocol specifications. - Ted
Home Last updated: Tue Sep 04 01:04:45 2001 6315 messages in chronological order |