Re: saag whyenc draft (was RE: Security Gateways)

To: Black_David@emc.com
Subject: Re: saag whyenc draft (was RE: Security Gateways)
From: Bernard Aboba <aboba@internaut.com>
Date: Fri, 3 Aug 2001 22:41:16 -0700 (PDT)
cc: bill@strahm.net, wdixon@microsoft.com, ips@ece.cmu.edu
Content-Type: TEXT/PLAIN; charset=US-ASCII
In-Reply-To: <277DD60FB639D511AC0400B0D068B71ECAD567@CORPMX14>
Sender: owner-ips@ece.cmu.edu

> Are you prepared to argue that data requiring
> confidentiality will never or almost never be sent via iSCSI or
> FCIP?  That is the line of reasoning that this draft leads to.

It's worth keeping in mind that Encrypting File Systems are now widely
supported. So in practice, the data may already be encrypted, and it might
be argued that in such a case, IPsec confidentiality is redundant. 

> OTOH, this argument may have some merit, as I would definitely expect
> to see things like this sort of brain-damaged software encryption module
> if confidentiality becomes a "MUST implement".  

Unfortunately, such a software encryption module would not be
"brain-damaged." Such performance is typical of 3DES implemented in
software on Pentium class processors in the 200 - 300 Mhz range (and
equivalent RISC processors). Software AES implementations will do
almost an order of magnitude better. but that's still a far cry from 1+
Gbps. At those speeds hardware acceleration will be required. 

Ultimately, the credibility of mandating confidentiality depends on the
demonstration that the service can actually be provided at the required
line rates. I expect that we will be able to lay out the evidence by the
Interim Meeting. 

> this applies only to confidentiality -- a small amount of thought about
> the consequences of impersonation and a script kiddie's TCP hijack attack
> leads to the conclusion that authentication and cryptographic integrity
> have to be "MUST implement" for iSCSI, FCIP, and iFCP.
> 

Yup. 

> The paper indicated that PowerPC clock speeds of 600-800 Mhz would be
> required in order for UMAC to handle 1 Gbps line rate...

I agree that it might be challenging to implement a software MAC on an
iSCSI target running at 1+ Gbps line rate. But this is more credible
for an iSCSI initiator running on a new PC with say, 1.7 Ghz clock rate. 
At 1 Gbps, UMAC-4/8 would consume 262.5 Million cycles/second, or
15% of CPU. 

By the interim meeting, we hope to have some presentations on the
performance achievable via hardware acceleration. I'd
note that software MAC algorithms are not necessarily the fastest
algorithms to implement in hardware. So the 2-3 cycles/byte of UMAC
on PowerPC should not be considered the best that can be done, just an
indication of how far we've come from HMAC-SHA1.

References:
- saag whyenc draft (was RE: Security Gateways)
  - From: Black_David@emc.com

Prev by Date: RE: Review of the 07 draft
Next by Date: RE: iSCSI: SendTargets in login or FFP?
Prev by thread: saag whyenc draft (was RE: Security Gateways)
Next by thread: Re: saag whyenc draft (was RE: Security Gateways)
Index(es):
- Date
- Thread

Home

Last updated: Tue Sep 04 01:04:06 2001
6315 messages in chronological order