SORT BY:

LIST ORDER
THREAD
AUTHOR
SUBJECT


SEARCH

IPS HOME


    [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

    Re: Security Gateways



    
    This is a multi-part message in MIME format.
    
    ------=_NextPart_000_0017_01C11ACC.6B6C6140
    Content-Type: text/plain;
    	charset="iso-8859-1"
    Content-Transfer-Encoding: quoted-printable
    
    David,
    Do your comments also apply to iFCP gateways (i.e. will cryptographic
    security be required in iFCP gateways in order for these to confirm to =
    spec)?
    
    
    Saqib Jang
    Margalla Communications, Inc.
    3301 El Camino Real, Suite 220
    Atherton, CA 94027
    Tel (650) 298 8462 Fax:( 650)  851 1613
    http://www.margallacomm.com
    
    -------------------------------------------------------------------------=
    --------------------
    
    
                         The issue is not whether it's "appropriate".  The =
    issue
                         is that if an implementation uses an FCIP Entity =
    plus
                         an external security gateway, the only interface =
    that
                         conforms to the forthcoming RFC is the =
    public/external
                         interface on the security gateway.  The interface =
    between
                         the FCIP Entity and the security gateway is private
                         and fails to conform to the security that will be
                         required of all FCIP implementations.
    
                         The above paragraph also applies to iSCSI =
    (substitute iSCSI
                         for FCIP in all instances).  Let me also note that =
    iSCSI's
                         ability to use a security gateway is not final at =
    this
                         juncture.  The spectrum of security possibilities =
    includes
                         things like SRP keying of ESP and IPsec transport =
    mode that
                         would make external gateways difficult or =
    impossible to use.
    
                         Those who care about being able to use security =
    gateways
                         (or think that there's no need to support their =
    use)
                         should speak up on the list, in London, and/or in =
    Orange
                         County (I would expect the decision not to be made =
    prior
                         to Orange County) and *EXPLAIN WHY* [technical =
    rationale].
    
                         Thanks,
                         --David
    
                         ---------------------------------------------------
                         David L. Black, Senior Technologist
                         EMC Corporation, 42 South St., Hopkinton, MA  01748
                         +1 (508) 435-1000 x75140     FAX: +1 (508) 497-8500
                         black_david@emc.com       Mobile: +1 (978) 394-7754
                         ---------------------------------------------------
                         =20
    
    ------=_NextPart_000_0017_01C11ACC.6B6C6140
    Content-Type: text/html;
    	charset="iso-8859-1"
    Content-Transfer-Encoding: quoted-printable
    
    <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
    <HTML><HEAD>
    <META content=3D"text/html; charset=3Diso-8859-1" =
    http-equiv=3DContent-Type>
    <META content=3D"MSHTML 5.00.2614.3500" name=3DGENERATOR>
    <STYLE></STYLE>
    </HEAD>
    <BODY bgColor=3D#ffffff>
    <DIV><FONT size=3D2>David,</FONT></DIV>
    <DIV><FONT size=3D2>Do your comments also apply to iFCP gateways (i.e. =
    will=20
    cryptographic</FONT></DIV>
    <DIV><FONT size=3D2>security be required in iFCP gateways in order for =
    these to=20
    confirm to spec)?</FONT></DIV>
    <DIV>&nbsp;</DIV>
    <DIV>&nbsp;</DIV>
    <DIV><FONT size=3D2>Saqib Jang<BR>Margalla Communications, Inc.<BR>3301 =
    El Camino=20
    Real, Suite 220<BR>Atherton, CA 94027<BR>Tel (650) 298 8462 Fax:( =
    650)&nbsp; 851=20
    1613<BR><A=20
    href=3D"http://www.margallacomm.com";>http://www.margallacomm.com</A></FON=
    T></DIV>
    <DIV>&nbsp;</DIV>
    <DIV><FONT=20
    size=3D2>----------------------------------------------------------------=
    -----------------------------</FONT></DIV>
    <DIV>&nbsp;</DIV>
    <DIV><FONT=20
    size=3D2><BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=
    &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=20
    The issue is not whether it's "appropriate".&nbsp; The=20
    issue<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs=
    p;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=20
    is that if an implementation uses an FCIP Entity=20
    plus<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp=
    ;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=20
    an external security gateway, the only interface=20
    that<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp=
    ;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=20
    conforms to the forthcoming RFC is the=20
    public/external<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=
    &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=20
    interface on the security gateway.&nbsp; The interface=20
    between<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&n=
    bsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=20
    the FCIP Entity and the security gateway is=20
    private<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&n=
    bsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=20
    and fails to conform to the security that will=20
    be<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&=
    nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=20
    required of all FCIP implementations.</FONT></DIV>
    <DIV>&nbsp;</DIV>
    <DIV><FONT=20
    size=3D2>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs=
    p;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=20
    The above paragraph also applies to iSCSI (substitute=20
    iSCSI<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs=
    p;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=20
    for FCIP in all instances).&nbsp; Let me also note that=20
    iSCSI's<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&n=
    bsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=20
    ability to use a security gateway is not final at=20
    this<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp=
    ;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=20
    juncture.&nbsp; The spectrum of security possibilities=20
    includes<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&=
    nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=20
    things like SRP keying of ESP and IPsec transport mode=20
    that<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp=
    ;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=20
    would make external gateways difficult or impossible to =
    use.</FONT></DIV>
    <DIV>&nbsp;</DIV>
    <DIV><FONT=20
    size=3D2>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs=
    p;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=20
    Those who care about being able to use security=20
    gateways<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&=
    nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=20
    (or think that there's no need to support their=20
    use)<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp=
    ;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=20
    should speak up on the list, in London, and/or in=20
    Orange<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nb=
    sp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=20
    County (I would expect the decision not to be made=20
    prior<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs=
    p;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=20
    to Orange County) and *EXPLAIN WHY* [technical rationale].</FONT></DIV>
    <DIV>&nbsp;</DIV>
    <DIV><FONT=20
    size=3D2>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs=
    p;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=20
    Thanks,<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&n=
    bsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=20
    --David</FONT></DIV>
    <DIV>&nbsp;</DIV>
    <DIV><FONT=20
    size=3D2>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs=
    p;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=20
    ---------------------------------------------------<BR>&nbsp;&nbsp;&nbsp;=
    &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&=
    nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=20
    David L. Black, Senior=20
    Technologist<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nb=
    sp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=20
    EMC Corporation, 42 South St., Hopkinton, MA&nbsp;=20
    01748<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs=
    p;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=20
    +1 (508) 435-1000 x75140&nbsp;&nbsp;&nbsp;&nbsp; FAX: +1 (508)=20
    497-8500<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&=
    nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=20
    <A=20
    href=3D"mailto:black_david@emc.com";>black_david@emc.com</A>&nbsp;&nbsp;&n=
    bsp;&nbsp;&nbsp;&nbsp;=20
    Mobile: +1 (978)=20
    394-7754<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&=
    nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=20
    ---------------------------------------------------<BR>&nbsp;&nbsp;&nbsp;=
    &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&=
    nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=20
    </FONT></DIV></BODY></HTML>
    
    ------=_NextPart_000_0017_01C11ACC.6B6C6140--
    
    
    


Home

Last updated: Tue Sep 04 01:04:07 2001
6315 messages in chronological order