|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: Security in iSCSII have been trying to follow the evolving story on authentication, digests, SRP and ESP for a few weeks. In light of darft 07 and David's recent offering, draft-black-ips-iscsi-security-01.txt, I need to ask some questions to help me clarify some of the implications for an implementation. Some items I had taken as true:
2. Draft 7 indicates that there must be mandatory support for CRC-32c for both header and data. Presumably this would imply one use of a 32 bit header and data digest to carry the CRC32. Draft 7 states that "Implementations MAY also negotiate digests with security significance for data authentication and integrity". 3. Draft 7 Appendix A also indicates a mandatory authentication method: "Initiator and target MUST implement SRP."
Up to this point I had been thinking that the header and data digests were to be used for all data authentication (even cryptographic integrity). If there was to be any data confidentiality, that would be outside of iSCSI and probably accompanied by no header and data digest usage. Then I read in David's paper, Section 4.3: "The current status is that ESP [RFC-2406] with NULL encryption has been chosen as the implementation approach to meet this requirement (Cryptographic Integrity and Data Origin Authentication), but the Authentication Algorithm (MAC, e.g., HMAC-SHA1) has not been selected." Questions:
2. Is there thought that the 'hash' result of SRP could be applied to the header and the data separately using the digests in the PDU? I guess one could envision a 'routing application' that could verify CRC32-c on the header in order to route the PDU but not be 'trusted' to not tamper with the data (SHA1 data digest). 3. Under what conditions are the header and data digests used?
Thanks for your help in advance.... Howard Cunningham, Senior MTS
-----Original Message-----
David, I am becoming more and more concerned about the IPS security strategy the
I want to propose that our security story cover
This will allow the IPS working group do what we do best, and allow the
Bill Strahm
Home Last updated: Sat Sep 15 00:17:12 2001 6548 messages in chronological order |