|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: iSCSI Security mechanisms> the negotiation is not > authenticated/protected in the fashion that > IKE's is). This is easy to fix. Just include the chosen groups/ciphersuites, etc. in the authentication hash. Also remember to generate sufficient keying material (auth & encryption keys, different in each direction). One other thing to think about is whether you will have multiple associations between two endpoints; if so, then you probably want something akin to IKE phase 1/phase 2; if not, you can live with only a phase 1 equivalent. In either case, re-key support is probably needed to avoid staleness in keying material. > iSCSI does have to specify the ESP authentication/integrity > transform - as things currently stand, a SHA-1 HMAC > (RFC 2404 specifies HMAC-SHA-1-96) would be a likely > choice, but an alternate could be an AES-related MAC if > it's specification will be available in a suitable timeframe. Before making a choice, you probably want to examine the performance data. There has been some concern about auth/integrity performance at 10 Gbps, and so some newer integrity mechanisms (e.g. UMAC, as little as 2 cycles/octet) may be appropriate. In general, it's pretty simple to add ciphersuite negotiation to SRP, so you won't be stuck with fixed transforms.
Home Last updated: Tue Sep 04 01:04:34 2001 6315 messages in chronological order |