|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] iSCSI: security questionsHi, I got a few questions on iSCSI security. I would appreciate it if someone could help. Thank you. ================ Q1: iSCSI v.08, page 142 "The authentication method cannot assume an underlying IPSec protection, since IPSec is optional to use." IPSec is an option for IPv4, but it's mandatory for IPv6 (if I remember right). Should we make it more specific? Q2: iSCSI v.08 Chapter 10 (Security Consideration) mentions a few times of "...MUST implement...". Should we add something like "security is mandatory to implement, but not mandatory to use" in this chapter? This is stated explicitly in SEC-IPS v.04 draft, and also implied in Chapter 5 (Login Phase) of iSCSI v.08. Q3: SEC-IPS v.04, page 11 "Negotiation between Initiator and Target is used to determine which authentication algorithm to use (or whether to use one at all); the connection closes if either side requires authentication and no mutually acceptable algorithm can be agreed upon" The question is whether "none" is considered as an "acceptable algorithm". In other words, if initiator asks "AuthMethod=KRB5,SRP,none" during login, and target answers "AuthMethod=none", should the connection be closed, or should the initiator continue with LoginOperationalNegotiation stage? If latter is acceptable, should we reword the last sentence like "...and no mutually acceptable algorithm or "none" can be agreed upon"? Q4: SEC-IPS v.04, page32 "If IPsec protection is removed on a connection, it MUST be reinstated before iSCSI, iFCP or FCIP packets are sent." The question is do we have to check security every time before sending out iSCSI packets? Lee
Home Last updated: Wed Nov 14 06:17:42 2001 7806 messages in chronological order |