SORT BY:

LIST ORDER
THREAD
AUTHOR
SUBJECT


SEARCH

IPS HOME


    [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

    RE: iSCSI over TLS



    Bill,
    
    The one "tiny" item you forgot to mention is that TLS records span TCP and 
    iSCSI PDU boundaries. TLS records can't be decrypted in face of TCP packet 
    loss and markers/alignment can't be recovered (to be more precise require 
    a lot more tweaking of the stacks).
    
    Julo
    
    
    
    
    "Bill Strahm" <bill@Sanera.net>
    08-11-01 23:55
    Please respond to "Bill Strahm"
    
     
            To:     Julian Satran/Haifa/IBM@IBMIL
            cc: 
            Subject:        RE: iSCSI over TLS
    
     
    
    Julian,
    
    I do not understand how TLS interferes with delivery of iSCSI packets any
    more than IPsec.  In either case your TOE MUST decrypt the packet and deal
    with the results.  I do not see how this changes the problem if the packet
    is decrypted before going to the TOE (again the hardware to do this MUST 
    be
    on the NIC device) or after going through the TOE processing...
    Quick summary of what I think needs to happen
    IPsec
    1) receive L2 packet
    2) determine it is IP
    3) Apply packet policy based on L3 header
    4) Decrypt packet - verify it is covered by the SA
    5) Pass to L4 (TCP) for processing
    6) Verify Framing/etc.
    7) Done
    TLS
    1) Recieve L2 Packet
    2) Pass to L3
    3) Pass to L4 (TCP) for processing
    4) Decrypt packet
    5) Verify Framing/etc
    6) Done
    
    It turns out the policies for TLS are much simpler than for IPsec, the
    application itself gets to determine if security should be turned on or 
    not
    (rather than another application pushing policies into an SPD) and I don't
    see a difference in the security offload requirements.  In many cases TLS
    will go through firewalls/NAT/NATP much better than IPsec, allowing for a
    wider deployment model.
    
    
    Bill Strahm
    +========+=========+=========+=========+=========+=========+=========+
    Bill Strahm     Software Development is a race between Programmers
    Member of the   trying to build bigger and better idiot proof software
    Technical Staff and the Universe trying to produce bigger and better
    bill@sanera.net idiots.
    (503) 601-0263  So far the Universe is winning --- Rich Cook
    
    -----Original Message-----
    From: owner-ips@ece.cmu.edu [mailto:owner-ips@ece.cmu.edu]On Behalf Of
    Julian Satran
    Sent: Tuesday, November 06, 2001 10:17 PM
    To: ips@ece.cmu.edu
    Subject: Re: iSCSI over TLS
    
    
    Peter,
    
    A group of us seriously considered TLS. The main reason for dropping it
    was that it would interfere with any mechanism we could think of doing
    framing and steering and we thought that framing and steering are
    essential at 10Gbps and over.
    
    Julo
    
    
    
    
    "Peter Mellquist" <peterm@seven-systems.com>
    Sent by: owner-ips@ece.cmu.edu
    07-11-01 02:15
    Please respond to "Peter Mellquist"
    
    
            To:     <ips@ece.cmu.edu>
            cc:
            Subject:        iSCSI over TLS
    
    
    
    I am aware that the ips group is leaning toward IPSEC as for the security
    solution but I am interested if anyone is also considering using Transport
    Layer Security (TLS)?
    
    I am concerned that the requirement for IPSEC might make TOEs  more
    complex
    than they need to be. Can TLS be optionally used as well as defined by the
    specification? This could allow TOE vendors to only be concerned with
    providing normal IPv4 / ipv6 and leave the security to a higher layer. A
    TLS
    stack sitting above the TOE could then handle security very well. Also, I
    anticipate that the first generation of TOEs will not support IPSEC. With
    a
    iSCSI/TLS we could enable security solutions with the first generation of
    TOEs and get speed and security.
    
    Are any TOE vendors planning to support IPSEC?
    
    Can TLS or IPSEC be supported?
    
    -peter
    
    
    
    Peter Mellquist
    Seven Systems Technologies
    575 Menlo Drive Suite 2
    Rocklin CA
    916-577-1275
    peterm@seven-systems.com
    
    
    
    
    
    
    
    


Home

Last updated: Fri Nov 09 11:17:36 2001
7691 messages in chronological order