|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: iSCSI: IKE normative guidelinesYes, these guidelines differ from those RFCs in a number of ways, based on things learned since those RFCs were written. Many of these are things that would go into revised versions of the IPsec RFCs, but revising the IPsec RFCs turns out to be intractable to the point of near-impossibility for the security folks - you'll have to ask them why. See the IPS security draft for some further explanation of these changes. Main mode is not "at least as good" as aggressive mode when group pre-shared keys are used; see the security draft and the ipsec WG "improveike" draft for details. Group pre- shared keys are often used in practice because they greatly simplify key management. Thanks, --David --------------------------------------------------- David L. Black, Senior Technologist EMC Corporation, 42 South St., Hopkinton, MA 01748 +1 (508) 435-1000 x75140 FAX: +1 (508) 497-8500 black_david@emc.com Mobile: +1 (978) 394-7754 --------------------------------------------------- > -----Original Message----- > From: Paul Koning [mailto:ni1d@arrl.net] > Sent: Friday, November 09, 2001 4:45 PM > To: BIRAN@il.ibm.com > Cc: ips@ece.cmu.edu > Subject: Re: iSCSI: IKE normative guidelines > > > >>>>> "Ofer" == Ofer Biran <BIRAN@il.ibm.com> writes: > > Ofer> In the framework of the effort being done now by the security > Ofer> team to sync the normative statements in the security draft > Ofer> with the protocol drafts, I suggest to adopt the following IKE > Ofer> normative guidelines that already appear in the security draft > Ofer> for iSCSI: ... > > Does any of this differ from what's in RFC 2408/2409? If so, why? If > not, why not just refer to that standard and say nothing further? > > If we're going to be different, I'd suggest dropping aggressive mode > since main mode is at least as good. > > paul >
Home Last updated: Mon Nov 12 12:17:42 2001 7756 messages in chronological order |