SORT BY:

LIST ORDER
THREAD
AUTHOR
SUBJECT


SEARCH

IPS HOME


    [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

    RE: iSCSI Security rough consensus



    David,
    
    <snip..snip>
    > The upshot is that we need an end-to-end iSCSI
    > authentication mechanism that authenticates the iSCSI
    > entities - authenticating the IP endpoints isn't good enough.
    > Given this, using that end-to-end authentication to key the 
    > IP security (i.e., ESP) is natural, and significantly simpler
    > as IKE cannot replace SRP in this context because IKE
    > is not authenticating the iSCSI entities.  For the initial
    > version of the draft, just requiring ESP would allow those
    > who want to use IKE to key it to do so.  What becomes
    > an RFC when will depend on how much progress gets
    > made in various areas.
    
    Just for clarification, SRP is only one of several
    "end-to-end iSCSI authentication mechanisms" listed
    in the -06 draft. Simple Public Key and Kerberosv5
    are others.  These are endpoint authentications can
    be conducted independently of IPSec (no keying of
    IPSec).  Any of these, negotiated over an IKE-established
    IP-endpoint-to-IP-endpoint IPSec SA, would provide the
    needed security.  This is especially true if IPSec and
    iSCSI are hosted on the same box, and if we discount
    the possibility of an attacker opening up the chassis
    and getting between IP and iSCSI/TCP in the stack.
    
    I think if SRP were not used to key IPSec, then IKE
    would be needed.  On the other hand, if IKE were available,
    why would we need SRP to key IPSec?
    
    Josh
    
    > 
    > I believe all of this is said or implied in the iSCSI requirements
    > draft.
    > 
    > --David
    > 
    > ---------------------------------------------------
    > David L. Black, Senior Technologist
    > EMC Corporation, 42 South St., Hopkinton, MA  01748
    > +1 (508) 435-1000 x75140     FAX: +1 (508) 497-8500
    > black_david@emc.com       Mobile: +1 (978) 394-7754
    > ---------------------------------------------------
    > 
    


Home

Last updated: Tue Sep 04 01:04:42 2001
6315 messages in chronological order