SORT BY:

LIST ORDER
THREAD
AUTHOR
SUBJECT


SEARCH

IPS HOME


    [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

    RE: iSCSI and secure boot



    David,
    
    > While we have been using DHCP as the example of how hard it is to
    > securely boot over a network, switching to LDAP does nothing to
    > make it easier.  Every initiator still needs to have a key stored
    > securely in nonvolitile memory and mechanisms to initially
    > create the key as well as update or revoke it. LDAP doesn't
    > solve this problem.
    
    LDAP does solve the problem.  If you have a simple boot that is indeed
    stable, you do not have the issues of updating a key or how it is used.  The
    initial image should utilize LDAP as a means of applying extensions that can
    be updated or revoked by means of modifying the information presented or
    pointed to by LDAP.  Keep this boot simple and within a stable environment.
    That alone demands that new protocols not be used.  You would want a highly
    stable server and protocol to base this simple boot managed in a secure
    manner.
    
    > Regardless of if you used TFTP, DHCP, or LDAP as the secondary boot
    > platform, it must be one that can be trusted and the trust must
    > come from the physical hardware and not over a network.  The
    > same key management issues still exist.
    
    You already have initial image that can be trusted based on stored
    information.  This information does not go away.  Use this stored
    information as a shared secret merged with information within the boot image
    to then continue the next step of the process.
    
    > But the problem is that no matter how secure the LDAP server is,
    > the client must be secure or all bets are off.  The only way to make
    > the client secure is to have some form of credential on the client
    > before any network traffic is initiated.  Bernard was simply describing
    > that having a per-machine credential won't scale and the proposal
    > to have a per-interface credential will have orders of magnitude
    > worse scaling.  Again LDAP can't be used to manage this as the
    > credential
    > must be on the client *before* it issues any requests.
    
    No, the problem is not that it will not scale.  This is not analogous to a
    login.  If you wanted a secure agent that could remotely modify these keys,
    it could be done, but I do not think that to be a good thing.  What problem
    should this solve?  It will not scale if each machine must be individually
    handled every few weeks when a protocol changes or an update goes awry.
    Security is simply a matter of bootstrapping using stored information to
    establish a trusted image to build an environment using simple routines in a
    highly stable environment.  The next step can leverage this same
    information.  To use a new protocol within the initial booting, there will
    be a great deal of difficulty created for all.
    
    Doug
    
    > 	-David
    
    


Home

Last updated: Tue Sep 04 01:04:34 2001
6315 messages in chronological order