RE: Security in iSCSI

To: Black_David@emc.com
Subject: RE: Security in iSCSI
From: "Julian Satran" <Julian_Satran@il.ibm.com>
Date: Wed, 22 Aug 2001 17:04:25 +0300
Cc: ips@ece.cmu.edu
Content-type: text/plain; charset=us-ascii
Importance: Normal
Sender: owner-ips@ece.cmu.edu

David,

I am certainly not confusing issues.  Removing cryptographic digests was
never a consensus call thing.
And true I agreed that we might remove the current specific ones but even
doing this will require everybody to agree after being clear what the
consequences are. As for using an SRP keys in ESP they will serve a
completely different purpose. A cryptographically safe digest on data is
needed to get a cryptographically safe transfer of data
through iSCSI proxies - CRCs are not cryptographically safe.

Julo

Black_David@emc.com on 22-08-2001 16:26:39

Please respond to Black_David@emc.com

To:   Julian Satran/Haifa/IBM@IBMIL, ips@ece.cmu.edu
cc:
Subject:  RE: Security in iSCSI



Julian,

> To be absolutely correct the issue of removing the option of
cryptographyc
> digest was brough up
> by you as a possibility,  under the now fashionable umbrela of
> simplification, and I agree that we might want to
> remove some of them and limit ourselves to the set close to what we
intend
> to make mandatory to implement (e.g., if we make SRP mandatory to
implement
> then a SRP "keyed" digest could be the right thing to specify - not
> mandate).  As Kerberos and CHAP are popular in enterprises due to their
> manageability removing them and leving the implementation for them to be
> completely vendor specific is not a good idea.

You've confused two separate issues.  The digests referred to in
the email exchange below are the KRB5 and SPKM digests in the
table on p.135 of -07 which I proposed for removal on the list
well before the London meeting and which you agreed to do; please
make sure that they do not appear in -08.  There is no SRP keyed
inband digest specified anywhere in -07 -- at the moment, any such
functionality would be obtained via keying of ESP.

The issue of whether all 5 of the authentication methods (Kerberos, SRP,
SPKM-1, SPKM-2, CHAP) in the table on p.136 are needed is a separate and
open issue that is on the agenda for Orange County.

--David
---------------------------------------------------
David L. Black, Senior Technologist
EMC Corporation, 42 South St., Hopkinton, MA  01748
+1 (508) 435-1000 x75140     FAX: +1 (508) 497-8500
black_david@emc.com       Mobile: +1 (978) 394-7754
---------------------------------------------------

Prev by Date: RE: Login Proposal
Next by Date: RE: iSCSI Login Proposal
Prev by thread: RE: Security in iSCSI
Next by thread: RE: Security in iSCSI
Index(es):
- Date
- Thread

Home

Last updated: Tue Sep 04 01:03:57 2001
6315 messages in chronological order