|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: iSCSI Security rough consensusDavid, <snip..snip> > The upshot is that we need an end-to-end iSCSI > authentication mechanism that authenticates the iSCSI > entities - authenticating the IP endpoints isn't good enough. > Given this, using that end-to-end authentication to key the > IP security (i.e., ESP) is natural, and significantly simpler > as IKE cannot replace SRP in this context because IKE > is not authenticating the iSCSI entities. For the initial > version of the draft, just requiring ESP would allow those > who want to use IKE to key it to do so. What becomes > an RFC when will depend on how much progress gets > made in various areas. Just for clarification, SRP is only one of several "end-to-end iSCSI authentication mechanisms" listed in the -06 draft. Simple Public Key and Kerberosv5 are others. These are endpoint authentications can be conducted independently of IPSec (no keying of IPSec). Any of these, negotiated over an IKE-established IP-endpoint-to-IP-endpoint IPSec SA, would provide the needed security. This is especially true if IPSec and iSCSI are hosted on the same box, and if we discount the possibility of an attacker opening up the chassis and getting between IP and iSCSI/TCP in the stack. I think if SRP were not used to key IPSec, then IKE would be needed. On the other hand, if IKE were available, why would we need SRP to key IPSec? Josh > > I believe all of this is said or implied in the iSCSI requirements > draft. > > --David > > --------------------------------------------------- > David L. Black, Senior Technologist > EMC Corporation, 42 South St., Hopkinton, MA 01748 > +1 (508) 435-1000 x75140 FAX: +1 (508) 497-8500 > black_david@emc.com Mobile: +1 (978) 394-7754 > --------------------------------------------------- >
Home Last updated: Tue Sep 04 01:04:42 2001 6315 messages in chronological order |