RE: iSCSI Security rough consensus

To: "'biran@il.ibm.com'" <biran@il.ibm.com>
Subject: RE: iSCSI Security rough consensus
From: Joshua Tseng <jtseng@NishanSystems.com>
Date: Tue, 15 May 2001 14:56:10 -0700
Cc: ips@ece.cmu.edu
Content-Type: text/plain;charset="iso-8859-1"
Sender: owner-ips@ece.cmu.edu

Thanks Ofer,

But I don't have any problem with specifying how
SRP can be used to key ESP.  My question is whether
we should make this a REQUIRED-TO-IMPLEMENT right now
at this moment.  It's obvious there needs to be some
amount of work in this area before we know what we
are getting with SRP_WITH_ESP_KEYING.  In the meantime,
IKE is mature, is integrated with IPSec, and is
interoperable (as far as I know).  I personally have
used IKE/IPSec implementations that have been embedded
in relatively small devices (< 8MB), and they worked
fine as far as I could tell.  I don't understand why
some have asserted that it is inappropriate for embedded
iSCSI devices.  If this is true, then what criteria
was used?  And how sufficiently "simple" and "lightweight"
does the approach have to be in order to be "acceptable"
to iSCSI?

My intuition tells me that leveraging mature, tested
solutions would be the lowest-risk path for iSCSI to
move forward as far as implementation complexity and
future interoperability issues are concerned.  I believe
IKE fits the bill in this regard.  SRP is still TBD. 

The IPS WG has always opted in favor of deployed and
proven technology (such as TCP), and I see no reason
to make an exception in this case.

Regards,
Josh
> 
> Josh,
> 
> > I think if SRP were not used to key IPSec, then IKE
> > would be needed.  On the other hand, if IKE were available,
> > why would we need SRP to key IPSec?
> 
> Both SRP and SRP_WITH_ESP_KEYING will be defined among the
> AuthMethods that can be negotiated in the Login, for now only
> SRP mandatory to implement. If one has ESP with IKE (or pre-keying)
> he can configure the negotiation not to offer/choose
> SRP_WITH_ESP_KEYING.  However, this option might be very
> convenient for non-IKE implementations.
> 
>    Regards,
>      Ofer
> 
> 
> Ofer Biran
> Storage and Systems Technology
> IBM Research Lab in Haifa
> biran@il.ibm.com  972-4-8296253
> 
> 
> Joshua Tseng <jtseng@NishanSystems.com> on 05/15/2001 09:34:43 PM
> 
> Please respond to Joshua Tseng <jtseng@NishanSystems.com>
> 
> To:   "'Black_David@emc.com'" <Black_David@emc.com>, 
> aboba@internaut.com,
>       tytso@mit.edu
> cc:   ips@ece.cmu.edu
> Subject:  RE: iSCSI Security rough consensus
> 
> 
> 
> 
>

Prev by Date: iFCP Clarification
Next by Date: RE: iSCSI: Aggregation tags in SendTargets
Prev by thread: RE: iSCSI Security rough consensus
Next by thread: RE: iSCSI Security rough consensus
Index(es):
- Date
- Thread

Home

Last updated: Tue Sep 04 01:04:42 2001
6315 messages in chronological order