RE: Security in iSCSI

To: "Cunningham, Howard" <Howard.Cunningham@spirentcom.com>
Subject: RE: Security in iSCSI
From: "Ofer Biran" <BIRAN@il.ibm.com>
Date: Tue, 21 Aug 2001 16:20:54 +0300
Cc: ips@ece.cmu.edu
Content-type: text/plain; charset=us-ascii
Importance: Normal
Sender: owner-ips@ece.cmu.edu



Howard,

Currently SRP is the mandatory (to implement) end to end authentication
method on the iSCSI level.
ESP with X authentication algorithm (X to be decided) is mandatory (to
implement) on the IP level.
The ESP (mandatory to implement) keying mechanism will be discussed in the
interim meeting. It will
either be based on the resulting SRP key (or other authentication method)
according to David's draft, or on
IKE, according to draft-aboba-ips-iscsi-security-00.txt (out soon).

The existence of the current  iSCSI level cryptographic digests will also
be discussed in the interim meeting.

Now for the specific questions:

1. Does SRP authentication imply ESP with NULL encryption? Of course this
is security at the IP level rather than the iSCSI layer. What about a
different header and data digest method?

+ ESP with NULL encryption (or ESP with X authentication) is mandatory to
implement - this is not implied by any iSCSI level authentication
+ method. Having different header and data digests as a different issue,
more important to error detection / recovery rather than security.

2. Is there thought that the 'hash' result of SRP could be applied to the
header and the data separately using the digests in the PDU? I guess one
could envision a 'routing application' that could verify CRC32-c on the
header in order to route the PDU but not be 'trusted' to not tamper with
the data (SHA1 data digest).

+ As I mentioned above, the whole issue of iSCSI level cryptographic
digests will be discussed in the interim meeting (where the first question
+ is - with mandatory ESP MACs, should they stay ?


3. Under what conditions are the header and data digests used?

+ In situations where the data still has a 'sensitive' path after the IPSec
offload, you might still want end to end CRC in addition to
+ the ESP MAC that covers only the IPSec portion.  These kind of scenarios
are discussed on both drafts mention above.

4. I am not an IPsec expert, but I thought that one way IPsec is used is to
set up a tunnel for all traffic from one IP address to another. Is it
possible that an initiator might want an iSCSI TCP stream and an HTTP
stream to the same IP address with different levels of security? Using the
iSCSI header and data digests, this would be possible.

+ Yes, it is possible by specifying different IPSec SA policy for different
TCP connections.


   Regards,
      Ofer

Ofer Biran
Storage and Systems Technology
IBM Research Lab in Haifa
biran@il.ibm.com  972-4-8296253

Prev by Date: RE: Security in iSCSI
Next by Date: FW: I-D ACTION:draft-aboba-ips-iscsi-security-00.txt
Prev by thread: RE: Security in iSCSI
Next by thread: RE: Security in iSCSI
Index(es):
- Date
- Thread

Home

Last updated: Tue Sep 04 01:03:58 2001
6315 messages in chronological order