|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: Security in iSCSIHoward, Currently SRP is the mandatory (to implement) end to end authentication method on the iSCSI level. ESP with X authentication algorithm (X to be decided) is mandatory (to implement) on the IP level. The ESP (mandatory to implement) keying mechanism will be discussed in the interim meeting. It will either be based on the resulting SRP key (or other authentication method) according to David's draft, or on IKE, according to draft-aboba-ips-iscsi-security-00.txt (out soon). The existence of the current iSCSI level cryptographic digests will also be discussed in the interim meeting. Now for the specific questions: 1. Does SRP authentication imply ESP with NULL encryption? Of course this is security at the IP level rather than the iSCSI layer. What about a different header and data digest method? + ESP with NULL encryption (or ESP with X authentication) is mandatory to implement - this is not implied by any iSCSI level authentication + method. Having different header and data digests as a different issue, more important to error detection / recovery rather than security. 2. Is there thought that the 'hash' result of SRP could be applied to the header and the data separately using the digests in the PDU? I guess one could envision a 'routing application' that could verify CRC32-c on the header in order to route the PDU but not be 'trusted' to not tamper with the data (SHA1 data digest). + As I mentioned above, the whole issue of iSCSI level cryptographic digests will be discussed in the interim meeting (where the first question + is - with mandatory ESP MACs, should they stay ? 3. Under what conditions are the header and data digests used? + In situations where the data still has a 'sensitive' path after the IPSec offload, you might still want end to end CRC in addition to + the ESP MAC that covers only the IPSec portion. These kind of scenarios are discussed on both drafts mention above. 4. I am not an IPsec expert, but I thought that one way IPsec is used is to set up a tunnel for all traffic from one IP address to another. Is it possible that an initiator might want an iSCSI TCP stream and an HTTP stream to the same IP address with different levels of security? Using the iSCSI header and data digests, this would be possible. + Yes, it is possible by specifying different IPSec SA policy for different TCP connections. Regards, Ofer Ofer Biran Storage and Systems Technology IBM Research Lab in Haifa biran@il.ibm.com 972-4-8296253
Home Last updated: Tue Sep 04 01:03:58 2001 6315 messages in chronological order |