Re: iSCSI Security rough consensus

[Theodore Tso <tytso@mit.edu>]

On Fri, May 04, 2001 at 08:05:57PM -0700, Joshua Tseng wrote:
> 
> I don't know the Security AD's, but if they had this reaction
> as you describe, my question to them would be why did they invent
> tunnel mode and security gateways in the first place?  If they
> wanted all protocols to have end-to-end protection as a REQUIREMENT,
> shouldn't they have just stopped with transport mode?  That way, it's
> end-to-end IPSec or else use something like TLS.

The main reason for things like tunnel mode and security gateways are
for legacy protocols and legacy implementations.  

All new protocols are supposed to worry about security in an
end-to-end fashion.  Specifying security gateways doesn't satisfy this
requirement.  The goal here is to provide something better than the
current situation, where most people are using firewalls, and
completely insecure protocols such as NFS.  This is also known as the
"hard crunchy exterior surrounding a soft, chewing interior", and it's
pretty clear this isn't sufficient.  New IETF protocols need to be
secure even if you're not surrounded by a firewall, and are connected
directly to the big, bad, Internet.   

The current situation vis-a-vis security is a really bad one; witness
recent reports about people scanning Silicon Valley for open 802.11
networks, and finding ways of accessing corporate intranets for all
sorts of very embarassed companies.  And then there are the stories
about machines running, PC Anywhere, backdoor modem connections that
the IS department didn't know about, home DSL connections to the
corporate intranet that were cross-connected with the user's cable
modem, etc., etc., etc.

So the answer to your question is that specifying a completely
insecure protocol, and saying it's secure if you put a security
gateway in front of it, isn't going to satisfy the IESG for new
protocol specifications.

						- Ted