SORT BY:

LIST ORDER
THREAD
AUTHOR
SUBJECT


SEARCH

IPS HOME


    [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

    RE: iSCSI Security mechanisms



    > the negotiation is not
    > authenticated/protected in the fashion that
    > IKE's is).
    
    This is easy to fix. Just include the chosen
    groups/ciphersuites, etc. in the authentication hash. Also remember to
    generate sufficient keying material (auth & encryption keys,
    different in each direction). One other thing to think about is whether
    you will have multiple associations between two endpoints; if so, then you
    probably want something akin to IKE phase 1/phase 2; if not, you can live
    with only a phase 1 equivalent. In either case, re-key support is probably
    needed to avoid staleness in keying material. 
    
    > iSCSI does have to specify the ESP authentication/integrity
    > transform - as things currently stand, a SHA-1 HMAC
    > (RFC 2404 specifies HMAC-SHA-1-96) would be a likely
    > choice, but an alternate could be an AES-related MAC if
    > it's specification will be available in a suitable timeframe.
    
    Before making a choice, you probably want to examine the performance
    data. There has been some concern about auth/integrity performance at 10
    Gbps, and so some newer integrity mechanisms (e.g. UMAC, as little as 
    2 cycles/octet) may be appropriate. In general, it's pretty simple to add
    ciphersuite negotiation to SRP, so you won't be stuck with fixed
    transforms. 
    
    
    


Home

Last updated: Tue Sep 04 01:04:34 2001
6315 messages in chronological order