SORT BY:

LIST ORDER
THREAD
AUTHOR
SUBJECT


SEARCH

IPS HOME


    [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

    iSCSI: security questions


    • To: <ips@ece.cmu.edu>
    • Subject: iSCSI: security questions
    • From: "Lee Xing" <lxing@Crossroads.com>
    • Date: Tue, 13 Nov 2001 18:10:02 -0600
    • content-class: urn:content-classes:message
    • Content-Transfer-Encoding: 8bit
    • Content-Type: text/plain;charset="iso-8859-1"
    • Disposition-Notification-To: "Lee Xing" <lxing@Crossroads.com>
    • Sender: owner-ips@ece.cmu.edu
    • Thread-Index: AcFsoLTomvBFvzOHQei9FVt267btaA==
    • Thread-Topic: iSCSI: security questions

    Hi,
    
    I got a few questions on iSCSI security.  I would appreciate it if
    someone could help.  Thank you.
    
    ================
    Q1: iSCSI v.08, page 142 "The authentication method cannot assume an
    underlying IPSec protection, since IPSec is optional to use."  IPSec is
    an option for IPv4, but it's mandatory for IPv6 (if I remember right).
    Should we make it more specific?
    
    Q2: iSCSI v.08 Chapter 10 (Security Consideration) mentions a few times
    of "...MUST implement...".  Should we add something like "security is
    mandatory to implement, but not mandatory to use" in this chapter?  This
    is stated explicitly in SEC-IPS v.04 draft, and also implied in Chapter
    5 (Login Phase) of iSCSI v.08.
    
    Q3:
    SEC-IPS v.04, page 11 "Negotiation between Initiator and Target is used
    to determine which authentication algorithm to use (or whether to use
    one at all); the connection closes if either side requires
    authentication and no mutually acceptable algorithm can be agreed upon"
    
    The question is whether "none" is considered as an "acceptable
    algorithm".  In other words, if initiator asks
    "AuthMethod=KRB5,SRP,none" during login, and target answers
    "AuthMethod=none", should the connection be closed, or should the
    initiator continue with LoginOperationalNegotiation stage?  If latter is
    acceptable, should we reword the last sentence like "...and no mutually
    acceptable algorithm or "none" can be agreed upon"?
    
    Q4:
    SEC-IPS v.04, page32 "If IPsec protection is removed on a connection, it
    MUST be reinstated before iSCSI, iFCP or FCIP packets are sent."  The
    question is do we have to check security every time before sending out
    iSCSI packets?
    
    
    
    Lee
    
    


Home

Last updated: Wed Nov 14 06:17:42 2001
7806 messages in chronological order