Re: iSCSI over TLS

To: <sganguly@opulentsystems.com>, "IPS" <ips@ece.cmu.edu>
Subject: Re: iSCSI over TLS
From: "Peter Mellquist" <peterm@seven-systems.com>
Date: Thu, 8 Nov 2001 11:39:40 -0800
Cc: "IPS" <ips@ece.cmu.edu>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain;charset="iso-8859-1"
References: <020001c16721$536f4f70$1001010a@blekinge> <200111062227010305.0AE8F00C@opulentsystems.com>
Sender: owner-ips@ece.cmu.edu

I am not advocating having a TOE implement TLS. I would count on the TOE to
provide general purpose TCP/IP services and offload the host of these
services. Security with TLS would be provided at a higher layer which could
or could not use hardware acceleration. For example, my iSCSI target server
uses a TLS implementation which in turn would interfaces with a TOE. The TLS
implementation uses ECC ( Elliptical Curve Crypto  as the default cipher
suite) in which the ECC engine is provided either in software or hardware.
By doing so, I get flexibility to include any type of security. I can also
deal with all the export legalities better. I agree that TOEs will also
exist to take over everything up to layer 4. That's fine. This will be
applicable to some but not all applications.

I would really like the iSCSI standard to be flexible in the area of
security rather than have too much biased toward layer 4 TOEs.

-peter

----- Original Message -----
From: "Sukanta Ganguly" <sganguly@opulentsystems.com>
To: "Peter Mellquist" <peterm@seven-systems.com>; "IPS" <ips@ece.cmu.edu>
Sent: Tuesday, November 06, 2001 10:27 PM
Subject: Re: iSCSI over TLS

> Peter,
>   A very good point. I am not sure if the TOE vendors have plans of
implementing IPSec and/or TLS. But allowing TLS as another mechanism is also
going to increase the complexity on the TOE side. The more logic that is
applied to the TOE the more expensive and difficult it is going to get.
>    The TOE vendors take over the packet processing at layer 4 and hence is
already fairly restrictive scale-wise. Adding TLS will make it more
difficult. However, a good mix of TLS on software and a synergistic TOE can
make a good combination. Hence I like the idea. I am not sure if any TOE
vendors have any comment of this ???
>
>
> SG
>
> *********** REPLY SEPARATOR  ***********
>
> On 11/6/2001 at 4:15 PM Peter Mellquist wrote:
>
> >I am aware that the ips group is leaning toward IPSEC as for the security
> >solution but I am interested if anyone is also considering using
Transport
> >Layer Security (TLS)?
> >
> >I am concerned that the requirement for IPSEC might make TOEs  more
complex
> >than they need to be. Can TLS be optionally used as well as defined by
the
> >specification? This could allow TOE vendors to only be concerned with
> >providing normal IPv4 / ipv6 and leave the security to a higher layer. A
> >TLS
> >stack sitting above the TOE could then handle security very well. Also, I
> >anticipate that the first generation of TOEs will not support IPSEC. With
a
> >iSCSI/TLS we could enable security solutions with the first generation of
> >TOEs and get speed and security.
> >
> >Are any TOE vendors planning to support IPSEC?
> >
> >Can TLS or IPSEC be supported?
> >
> >-peter
> >
> >
> >
> >Peter Mellquist
> >Seven Systems Technologies
> >575 Menlo Drive Suite 2
> >Rocklin CA
> >916-577-1275
> >peterm@seven-systems.com
>
>
>
>

References:
- iSCSI over TLS
  - From: "Peter Mellquist" <peterm@seven-systems.com>
- Re: iSCSI over TLS
  - From: "Sukanta Ganguly" <sganguly@opulentsystems.com>

Prev by Date: Re: iSCSI over TLS
Next by Date: Re: FC Management MIB - proposed changes
Prev by thread: Re: iSCSI over TLS
Next by thread: Re: iSCSI over TLS
Index(es):
- Date
- Thread

Home

Last updated: Thu Nov 08 15:17:36 2001
7655 messages in chronological order