RE: Security in iSCSI

To: bill@strahm.net, ips@ece.cmu.edu
Subject: RE: Security in iSCSI
From: Black_David@emc.com
Date: Tue, 21 Aug 2001 09:41:45 -0400
Cc: Black_David@emc.com
Content-Type: text/plain;charset="iso-8859-1"
Sender: owner-ips@ece.cmu.edu

Bill,

> I am becoming more and more concerned about the IPS security strategy the
> longer I think about having to implement this into product.  The first
> problem with defining a new keying standard is that an iSCSI vendor will
> have to implement this keying standard, and then on a per OS bassis
> attempt to push a negotiated key down into the IPsec layer to handle the
> correct iSCSI traffic.  Many of these interfaces will be difficult to
> find, if they are available at all...

Keep in mind that the SRP keying of ESP mechanism described in
draft-black-ips-iscsi-security-01.txt is only a proposal, and use
of IKE is another proposal - see draft-aboba-ips-iscsi-security-00.txt
(announcement just forwarded to ips) as well as the text in draft-black-...
about it being an individual submission that the WG is free
to fold, spindle, mutilate, etc.  The proverbial "fix" is not in
for the SRP/ESP keying, and I have no intention of forcing the WG
to adopt it - it's on the agenda to get a fair hearing in Orange
County, and I have no problem with a "thanks, but no thanks" decision
about pursuing it.

> I want to propose that our security story cover
> 1) Defining a security policy that can be used to cover iSCSI traffic
> 2) Allowing end users to use this security policy with their OSes current
> IPsec stacks (on both the client and target end), or integrating an IPsec
> stack into products
> 3) Allowing the IPsec WG cover all aspects of algorithm selection, key
> negotiating, encapsulation, etc. that are needed

That's certainly a reasonable position to take on this topic.  The result
that approach might be:
	IKE, 3DES-CBC, HMAC-SHA1
as "MUST implement" algorithms.  I've seen pushback/objection to all
three on various grounds, hence the need to discuss all of this in
Orange County.

Any authentication (e.g., HMAC-SHA-1, AES-CBC-MAC, UMAC, PMAC) or
encryption (e.g., 3DES-CBC, AES-CBC, AES-counter) algorithm that we
choose to use will need a standards track RFC that goes through the
ipsec WG, and the ipsec WG is prepared to work on advancing such drafts
in the next few months.  I WILL NOT PERMIT such drafts to be directly
worked on here in IPS.  Keying is more problematic, as it's not clear
what the right home for something like the SRP/ESP keying mechanism
is, but OTOH, IKE is quite a bit for an implementer to swallow.

Thanks,
--David

---------------------------------------------------
David L. Black, Senior Technologist
EMC Corporation, 42 South St., Hopkinton, MA  01748
+1 (508) 435-1000 x75140     FAX: +1 (508) 497-8500
black_david@emc.com       Mobile: +1 (978) 394-7754
---------------------------------------------------

Prev by Date: RE: iSCSI: Alias consensus call FAILURE
Next by Date: Re: Security in iSCSI
Prev by thread: RE: Security in iSCSI
Next by thread: Re: Security in iSCSI
Index(es):
- Date
- Thread

Home

Last updated: Tue Sep 04 01:03:58 2001
6315 messages in chronological order