SORT BY:

LIST ORDER
THREAD
AUTHOR
SUBJECT


SEARCH

IPS HOME


    [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

    RE: iSCSI Security rough consensus



    Thanks Ofer,
    
    But I don't have any problem with specifying how
    SRP can be used to key ESP.  My question is whether
    we should make this a REQUIRED-TO-IMPLEMENT right now
    at this moment.  It's obvious there needs to be some
    amount of work in this area before we know what we
    are getting with SRP_WITH_ESP_KEYING.  In the meantime,
    IKE is mature, is integrated with IPSec, and is
    interoperable (as far as I know).  I personally have
    used IKE/IPSec implementations that have been embedded
    in relatively small devices (< 8MB), and they worked
    fine as far as I could tell.  I don't understand why
    some have asserted that it is inappropriate for embedded
    iSCSI devices.  If this is true, then what criteria
    was used?  And how sufficiently "simple" and "lightweight"
    does the approach have to be in order to be "acceptable"
    to iSCSI?
    
    My intuition tells me that leveraging mature, tested
    solutions would be the lowest-risk path for iSCSI to
    move forward as far as implementation complexity and
    future interoperability issues are concerned.  I believe
    IKE fits the bill in this regard.  SRP is still TBD. 
    
    The IPS WG has always opted in favor of deployed and
    proven technology (such as TCP), and I see no reason
    to make an exception in this case.
    
    Regards,
    Josh
    > 
    > Josh,
    > 
    > > I think if SRP were not used to key IPSec, then IKE
    > > would be needed.  On the other hand, if IKE were available,
    > > why would we need SRP to key IPSec?
    > 
    > Both SRP and SRP_WITH_ESP_KEYING will be defined among the
    > AuthMethods that can be negotiated in the Login, for now only
    > SRP mandatory to implement. If one has ESP with IKE (or pre-keying)
    > he can configure the negotiation not to offer/choose
    > SRP_WITH_ESP_KEYING.  However, this option might be very
    > convenient for non-IKE implementations.
    > 
    >    Regards,
    >      Ofer
    > 
    > 
    > Ofer Biran
    > Storage and Systems Technology
    > IBM Research Lab in Haifa
    > biran@il.ibm.com  972-4-8296253
    > 
    > 
    > Joshua Tseng <jtseng@NishanSystems.com> on 05/15/2001 09:34:43 PM
    > 
    > Please respond to Joshua Tseng <jtseng@NishanSystems.com>
    > 
    > To:   "'Black_David@emc.com'" <Black_David@emc.com>, 
    > aboba@internaut.com,
    >       tytso@mit.edu
    > cc:   ips@ece.cmu.edu
    > Subject:  RE: iSCSI Security rough consensus
    > 
    > 
    > 
    > 
    > 
    


Home

Last updated: Tue Sep 04 01:04:42 2001
6315 messages in chronological order