SORT BY:

LIST ORDER
THREAD
AUTHOR
SUBJECT


SEARCH

IPS HOME


    [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

    RE: iSCSI - three negotiation items



    Comments below.  --David
    
    > -----Original Message-----
    > From: Julian Satran [mailto:Julian_Satran@il.ibm.com]
    > Sent: Thursday, August 02, 2001 3:14 AM
    > To: ips@ece.cmu.edu
    > Subject: Re: iSCSI - three negotiation items
    > 
    > 
    > 
    > comments in text. Julo
    > 
    > 
    > 
    > Black_David@emc.com on 02-08-2001 04:46:53
    > 
    > Please respond to Black_David@emc.com
    > 
    > To:   ips@ece.cmu.edu
    > cc:
    > Subject:  iSCSI - three negotiation items
    > 
    > 
    > 
    > 
    > Going through the list of simplification suggestions,
    > I found a few items that look like they
    > should be reasonable to deal with on the list.
    > 
    > (1) For any key that can take a numeric value, could
    > we specify the required base for the number, either
    > decimal or hex, not both.  The practical issue is that
    > the sort of large values used for keys and the like
    > in security are much easier to deal with in hex than
    > decimal.
    > 
    > +++ the current draft allows for both - Is there something 
    > wrong with that?
    > Hex is simpler but if data gets copied from somewhere else 
    > and that is a
    > decimal source then that is error prone +++
    
    DLB> Possibly.  The implementation issue is that converting
    DLB> large quantities (e.g., 128 bit) from decimal to hex
    DLB> is annoying (it's bignum arithmetic).  Does anyone
    DLB> ever use decimal to represent this sort of keying
    DLB> material?  The major concern is apparently the
    DLB> security-related stuff (e.g., I doubt it's
    DLB> a big deal if someone wants to use hex instead of
    DLB> decimal for MaxConnections).
     
    > (2) The KRB5 and SPKM inband cryptographic integrity
    > digests on p.136 seem to be relics of a prior inband
    > approach to security.  Has anyone implemented them?
    > Does anyone want them to remain?  Can we just delete
    > them?
    > 
    > +++ Yes - I think we can take them out although UMAC may 
    > get-in at some
    > point :-) +++
    
    DLB> Good.  
    
    > (3) Can HeaderDigest and DataDigest be combined?
    > If (2) is done, this is about making use of CRC-32C
    > a single on/off switch rather than two separate switches
    > for header and data?
    > 
    > +++ combining defeats the purpose of the iSCSI CRC - to get 
    > you through
    > iSCSI proxies that may change the header but will not change 
    > the data +++
    
    DLB> My fault for not being clear.  The proposal is to still
    DLB> compute separate CRCs on header and data for exactly
    DLB> that iSCSI proxy reason that Julian cites, but to
    DLB> combine the negotiation keys into one key so that
    DLB> the only two possibilities are:
    DLB>  - Both CRCs are generated.
    DLB>  - Neither CRC is generated.
    DLB> Does anyone see a compelling case for one of these
    DLB> CRCs without the other?
    


Home

Last updated: Tue Sep 04 01:04:07 2001
6315 messages in chronological order