|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: Review of -10 security draftCan you confirm that draft 10 removes the requirement that every TCP connection must have a separate IKE Phase 2 SA? Some sections of the document seem to have been modified to reflect this, but I did notice an exception, in Section 1.2 (iFCP) "Each IPsec SA established by IKE protects a single TCP connection". If this requirement has in fact been removed, it needs to be removed from the other draft documents, such as FCIP and iSCSI. -----Original Message----- From: Joseph D. Harwood [mailto:jharwood@vesta-corp.com] Sent: Wednesday, February 20, 2002 11:02 AM To: Bernard Aboba; Ernest.Dainow@mcdata.com Cc: ips@ece.cmu.edu Subject: RE: Review of -10 security draft > -----Original Message----- > From: Bernard Aboba [mailto:bernard_aboba@hotmail.com] > Sent: Tuesday, February 19, 2002 2:42 PM > To: jharwood@vesta-corp.com; Ernest.Dainow@mcdata.com > Cc: ips@ece.cmu.edu > Subject: Review of -10 security draft > > > >How does requiring each connection to have its own Phase 2 SA > mitigate >the > >vulnerability in this scenario? > > IPsec doesn't protect against this at all, and the text needs to > make this > clear. > > Please take a look at the latest -10 security draft in progress to see if > this addresses the issue: > > http://www.drizzle.com/~aboba/RDMA/draft-ietf-ips-security-10.txt > It does, thanks! Best Regards, Joseph D. Harwood (408) 838-9434 jharwood@vesta-corp.com www.vesta-corp.com
Home Last updated: Wed Feb 20 15:18:07 2002 8810 messages in chronological order |