FCIP: RE: Security Gateways

To: <Black_David@emc.com>
Subject: FCIP: RE: Security Gateways
From: "Murali Rajagopal" <muralir@lightsand.com>
Date: Wed, 1 Aug 2001 09:17:25 -0700
Cc: <ips@ece.cmu.edu>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain;charset="iso-8859-1"
Importance: Normal
In-Reply-To: <277DD60FB639D511AC0400B0D068B71E070AA3@CORPMX14>
Sender: owner-ips@ece.cmu.edu

David:

The FCIP WG is just beginning to address the security topic. It is expected
that by the Interim Irvine meeting the FCIP Group will have had some time to
understand the implications of  the different approaches. It is too
premature at this time for the group to conclude one way or the other.
Please bear with us for some more time.

-Murali

-----Original Message-----
From: owner-ips@ece.cmu.edu [mailto:owner-ips@ece.cmu.edu]On Behalf Of
Black_David@emc.com
Sent: Tuesday, July 24, 2001 7:11 PM
To: ips@ece.cmu.edu
Subject: Security Gateways

The following issue was hidden in my long set of
comments on the -03 version of FCIP:

> > Delete 12 b).  If an FCIP entity is operating with an external
> > security gateway, only the interface on the public side of the
> > gateway is compliant with this specification.  The interface
> > between the FCIP entity and the gateway is not compliant because
> > it is lacking required security features - the FCIP entity
> > *includes* the security gateway in this structure.
>
> Please post this as a separate issue because several of the
> FCIP Authors believe it is appropriate for FCIP and I cannot
> represent their opinions.

The issue is not whether it's "appropriate".  The issue
is that if an implementation uses an FCIP Entity plus
an external security gateway, the only interface that
conforms to the forthcoming RFC is the public/external
interface on the security gateway.  The interface between
the FCIP Entity and the security gateway is private
and fails to conform to the security that will be
required of all FCIP implementations.

The above paragraph also applies to iSCSI (substitute iSCSI
for FCIP in all instances).  Let me also note that iSCSI's
ability to use a security gateway is not final at this
juncture.  The spectrum of security possibilities includes
things like SRP keying of ESP and IPsec transport mode that
would make external gateways difficult or impossible to use.

Those who care about being able to use security gateways
(or think that there's no need to support their use)
should speak up on the list, in London, and/or in Orange
County (I would expect the decision not to be made prior
to Orange County) and *EXPLAIN WHY* [technical rationale].

Thanks,
--David

---------------------------------------------------
David L. Black, Senior Technologist
EMC Corporation, 42 South St., Hopkinton, MA  01748
+1 (508) 435-1000 x75140     FAX: +1 (508) 497-8500
black_david@emc.com       Mobile: +1 (978) 394-7754
---------------------------------------------------

References:
- Security Gateways
  - From: Black_David@emc.com

Prev by Date: Remove
Next by Date: RE: Security Gateways
Prev by thread: Security Gateways
Next by thread: RE: Security Gateways
Index(es):
- Date
- Thread

Home

Last updated: Tue Sep 04 01:04:08 2001
6315 messages in chronological order