|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: iSCSI Security rough consensusThanks Ofer, But I don't have any problem with specifying how SRP can be used to key ESP. My question is whether we should make this a REQUIRED-TO-IMPLEMENT right now at this moment. It's obvious there needs to be some amount of work in this area before we know what we are getting with SRP_WITH_ESP_KEYING. In the meantime, IKE is mature, is integrated with IPSec, and is interoperable (as far as I know). I personally have used IKE/IPSec implementations that have been embedded in relatively small devices (< 8MB), and they worked fine as far as I could tell. I don't understand why some have asserted that it is inappropriate for embedded iSCSI devices. If this is true, then what criteria was used? And how sufficiently "simple" and "lightweight" does the approach have to be in order to be "acceptable" to iSCSI? My intuition tells me that leveraging mature, tested solutions would be the lowest-risk path for iSCSI to move forward as far as implementation complexity and future interoperability issues are concerned. I believe IKE fits the bill in this regard. SRP is still TBD. The IPS WG has always opted in favor of deployed and proven technology (such as TCP), and I see no reason to make an exception in this case. Regards, Josh > > Josh, > > > I think if SRP were not used to key IPSec, then IKE > > would be needed. On the other hand, if IKE were available, > > why would we need SRP to key IPSec? > > Both SRP and SRP_WITH_ESP_KEYING will be defined among the > AuthMethods that can be negotiated in the Login, for now only > SRP mandatory to implement. If one has ESP with IKE (or pre-keying) > he can configure the negotiation not to offer/choose > SRP_WITH_ESP_KEYING. However, this option might be very > convenient for non-IKE implementations. > > Regards, > Ofer > > > Ofer Biran > Storage and Systems Technology > IBM Research Lab in Haifa > biran@il.ibm.com 972-4-8296253 > > > Joshua Tseng <jtseng@NishanSystems.com> on 05/15/2001 09:34:43 PM > > Please respond to Joshua Tseng <jtseng@NishanSystems.com> > > To: "'Black_David@emc.com'" <Black_David@emc.com>, > aboba@internaut.com, > tytso@mit.edu > cc: ips@ece.cmu.edu > Subject: RE: iSCSI Security rough consensus > > > > >
Home Last updated: Tue Sep 04 01:04:42 2001 6315 messages in chronological order |