SORT BY:

LIST ORDER
THREAD
AUTHOR
SUBJECT


SEARCH

IPS HOME


    [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

    RE: saag whyenc draft (was RE: Security Gateways)



    > I would like to second Jim's remarks below, and would like to see some
    > or all of his text included in the iSCSI document.  I think
    > this is a reasonable approach which would address most concerns on
    > all sides.
    
    Not exactly.  The "asterisk" type of implementation (complies with
    the security portion of the RFC only when a separately purchased
    external gateway is present) have the potential to provide other
    than end-to-end security because there's no way to control how
    much network is between the iSCSI device and the gateway (e.g.,
    suppose the gateway goofs and instead of talking to its peer
    in the other city winds up talking to a gateway located a few
    hops away in a metro POP).  At the moment, both automatic keying
    proposals for iSCSI (SRP/ESP and some variant of IKE) are headed
    in this direction by requiring modifications to current IPsec
    firewalls in order to correctly implement the keying and/or
    ESP processing.
    
    The rest of Josh's message confuses "mandatory to implement" (which
    iSCSI is being required to do) with "mandatory to use" (which is
    not required, not even by the saag whyenc draft. After a long
    exposition on the utility of corporate security gateways (mostly
    correct, as they are in fact useful) Josh sums up by saying:
    
    >  My solution would be to hide these devices
    > behind a security gateway network proxy, turn off the end-to-end security,
    > and use the security gateway's IPSec.
    
    This is completely permissible, even under the saag whyenc draft (see its
    discussion of "mandatory to implement" vs. "mandatory to use" in Section 7),
    and is the obvious thing to do in the situation Josh is concerned about.
    
    One other note is that to get denial of service prevention benefits for
    iSCSI from a firewall, one probably needs iSCSI-specific inspection code
    in the firewall.  Needless to say, this won't happen right away.
    
    --David
    
    p.s.  Jim's original text on types of implementations is below.
    
    
    > > 
    > > I think with regards to both confidentiality and 
    > authentication (IPSec
    > > authentication, not login authentication) one can expect three types
    > > of implementations.
    > > 
    > > 1.  Products that claim full RFC compliance in big letters with a 
    > >     small foot note stating that an external gateway is required
    > >     for compliance with the security section of the RFC.
    > > 
    > > 2.  Products that claim full RFC compliance but drop to 1% normal
    > >     throughput whenever security is enabled, and whose customers
    > >     will buy an external gateway anyway when they want security.
    > > 
    > > 3.  Products that can run security at full speed but which are
    > >     not competative in terms of cost/performance with 1 and 2.
    > > 
    > > I don't have a problem with any of these, but I think it's 
    > critically
    > > important that the security protocol for iSCSI doesn't preclude
    > > options 1 and 2.  In terms of actual deployment, I suspect these
    > > will be the most common.  A requirement for keying IPSec in
    > > a way that is not compatable with existing security gateways
    > > would be a serious setback to general acceptance of iSCSI, and
    > > could potentially result in the emergence of a de facto standard
    > > (no security) which diverges from the RFC standard (manditory 
    > > security).  I don't think diverging standards are in anyone's
    > > best interest, especially if there are practical ways to 
    > > aviod it.
    > > 
    > > 
    > 
    


Home

Last updated: Tue Sep 04 01:04:04 2001
6315 messages in chronological order