SORT BY:

LIST ORDER
THREAD
AUTHOR
SUBJECT


SEARCH

IPS HOME


    [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

    RE: Security in iSCSI



    
    
    Howard,
    
    Currently SRP is the mandatory (to implement) end to end authentication
    method on the iSCSI level.
    ESP with X authentication algorithm (X to be decided) is mandatory (to
    implement) on the IP level.
    The ESP (mandatory to implement) keying mechanism will be discussed in the
    interim meeting. It will
    either be based on the resulting SRP key (or other authentication method)
    according to David's draft, or on
    IKE, according to draft-aboba-ips-iscsi-security-00.txt (out soon).
    
    The existence of the current  iSCSI level cryptographic digests will also
    be discussed in the interim meeting.
    
    Now for the specific questions:
    
    1. Does SRP authentication imply ESP with NULL encryption? Of course this
    is security at the IP level rather than the iSCSI layer. What about a
    different header and data digest method?
    
    + ESP with NULL encryption (or ESP with X authentication) is mandatory to
    implement - this is not implied by any iSCSI level authentication
    + method. Having different header and data digests as a different issue,
    more important to error detection / recovery rather than security.
    
    2. Is there thought that the 'hash' result of SRP could be applied to the
    header and the data separately using the digests in the PDU? I guess one
    could envision a 'routing application' that could verify CRC32-c on the
    header in order to route the PDU but not be 'trusted' to not tamper with
    the data (SHA1 data digest).
    
    + As I mentioned above, the whole issue of iSCSI level cryptographic
    digests will be discussed in the interim meeting (where the first question
    + is - with mandatory ESP MACs, should they stay ?
    
    
    3. Under what conditions are the header and data digests used?
    
    + In situations where the data still has a 'sensitive' path after the IPSec
    offload, you might still want end to end CRC in addition to
    + the ESP MAC that covers only the IPSec portion.  These kind of scenarios
    are discussed on both drafts mention above.
    
    4. I am not an IPsec expert, but I thought that one way IPsec is used is to
    set up a tunnel for all traffic from one IP address to another. Is it
    possible that an initiator might want an iSCSI TCP stream and an HTTP
    stream to the same IP address with different levels of security? Using the
    iSCSI header and data digests, this would be possible.
    
    + Yes, it is possible by specifying different IPSec SA policy for different
    TCP connections.
    
    
       Regards,
          Ofer
    
    Ofer Biran
    Storage and Systems Technology
    IBM Research Lab in Haifa
    biran@il.ibm.com  972-4-8296253
    
    


Home

Last updated: Tue Sep 04 01:03:58 2001
6315 messages in chronological order