Open Questions on iSCSI 07 security

To: <ips@ece.cmu.edu>
Subject: Open Questions on iSCSI 07 security
From: VAHUJA@aol.com
Date: Fri, 17 Aug 2001 17:48:05 EDT
Cc: <vahuja@aol.com>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset=ISO-8859-1
Sender: owner-ips@ece.cmu.edu

I have been reading the iSCSI security in the drafts s (06, 07) and David's paper on the iSCSI security issues. I have a few questions that seem to (me to) remain unaswered. If they are already answered, I'd welcome the answers; if not - I suggest we include these in the discussions on 8/28th at Irvine.

AUTHENTICATION: The 06 level states authentication is a MUST and the 07 level states that SRP is a MUST. But the SRP RFC does not provide sufficient details on formats and protocols that will be needed to allow 
interoperability among different implementation.

A related development is the SLAP protocol from Brocade that uses PKI for authentication and possibly other use. Any suggestions on converging the two approaches for authenticating storage devices: iSCSI or otherwise.

DATA INTEGRITY: This is a MUST in 06 level. But no algorithm has been identified. The draft does state that IPSec can be used here - and IPSec requires use of HMAC-MD5 and HMAC-SHA 1, and a few optional. It'd perhaps be better to state in the iSCSI standard the specific chosen algorithms for iSCSI Data Integrity. 

CONFIDENTIALITY: I agree with David that we must specify the algorithm, whther that's OPT or a MUST.
And what about key exchange (IKE, D-H etc.)? Also, IPSec, as far as I can tell, not yet blessed AES - perhaps we should address this.

Thanks, Vijay

Prev by Date: RE: iSCSI: [Fwd: Crc-32c example in iSCSI spec]
Next by Date: RE: iSCSI: [Fwd: Crc-32c example in iSCSI spec]
Prev by thread: FCencap: Revision 2 is available
Next by thread: RE: Open Questions on iSCSI 07 security
Index(es):
- Date
- Thread

Home

Last updated: Tue Sep 04 01:03:59 2001
6315 messages in chronological order