|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: iSCSI: security questionsLee, ================ Q1: iSCSI v.08, page 142 "The authentication method cannot assume an underlying IPSec protection, since IPSec is optional to use." IPSec is an option for IPv4, but it's mandatory for IPv6 (if I remember right). Should we make it more specific? + IPsec is mandatory to implement in IPV6 but not mandatory to use, the + policy can always be configured to plain processing. Q2: iSCSI v.08 Chapter 10 (Security Consideration) mentions a few times of "...MUST implement...". Should we add something like "security is mandatory to implement, but not mandatory to use" in this chapter? This is stated explicitly in SEC-IPS v.04 draft, and also implied in Chapter 5 (Login Phase) of iSCSI v.08. + I think that "MUST implement" is quite clear and standard RFC statement, + and you don't need "but optional to use" disclaimer each time it appears. Q3: SEC-IPS v.04, page 11 "Negotiation between Initiator and Target is used to determine which authentication algorithm to use (or whether to use one at all); the connection closes if either side requires authentication and no mutually acceptable algorithm can be agreed upon" The question is whether "none" is considered as an "acceptable algorithm". In other words, if initiator asks "AuthMethod=KRB5,SRP,none" during login, and target answers "AuthMethod=none", should the connection be closed, or should the initiator continue with LoginOperationalNegotiation stage? If latter is acceptable, should we reword the last sentence like "...and no mutually acceptable algorithm or "none" can be agreed upon"? + "if either side requires authentication" rules out your example, + because by suggesting "none" and choosing "none" no side required + authentication. Q4: SEC-IPS v.04, page32 "If IPsec protection is removed on a connection, it MUST be reinstated before iSCSI, iFCP or FCIP packets are sent." The question is do we have to check security every time before sending out iSCSI packets? + This statement is going to change as a result of the sync effort with + the security draft, at least it would become non-normative. Regard, Ofer Ofer Biran Storage and Systems Technology IBM Research Lab in Haifa biran@il.ibm.com 972-4-8296253
Home Last updated: Wed Nov 14 11:17:41 2001 7812 messages in chronological order |