RE: Review of -10 security draft

To: Ernest Dainow <Ernest.Dainow@mcdata.com>, "'Joseph D. Harwood'" <jharwood@vesta-corp.com>, Bernard Aboba <bernard_aboba@hotmail.com>, Ernest Dainow <Ernest.Dainow@mcdata.com>
Subject: RE: Review of -10 security draft
From: Franco Travostino <travos@nortelnetworks.com>
Date: Wed, 20 Feb 2002 15:08:38 -0500
Cc: ips@ece.cmu.edu
Content-Type: multipart/alternative;boundary="=====================_197175563==_.ALT"
In-Reply-To: <1B8A58D6C376FE4DB329408E2701384250C9B3@grizzly.mcdata.com>
Sender: owner-ips@ece.cmu.edu

At 12:30 PM 2/20/2002, Ernest Dainow wrote:

Can you confirm that draft 10 removes the requirement that every TCP
connection must have a separate IKE Phase 2 SA?

Some sections of the document seem to have been modified to reflect this,
but I did notice an exception, in Section 1.2 (iFCP) "Each IPsec SA
established by IKE protects a single TCP connection".

If this requirement has in fact been removed, it needs to be removed from
the other draft documents, such as FCIP and iSCSI.

-----Original Message-----
From: Joseph D. Harwood [mailto:jharwood@vesta-corp.com]
Sent: Wednesday, February 20, 2002 11:02 AM
To: Bernard Aboba; Ernest.Dainow@mcdata.com
Cc: ips@ece.cmu.edu
Subject: RE: Review of -10 security draft

> -----Original Message-----
> From: Bernard Aboba [mailto:bernard_aboba@hotmail.com]
> Sent: Tuesday, February 19, 2002 2:42 PM
> To: jharwood@vesta-corp.com; Ernest.Dainow@mcdata.com
> Cc: ips@ece.cmu.edu
> Subject: Review of -10 security draft
>
>
> >How does requiring each connection to have its own Phase 2 SA
> mitigate >the
> >vulnerability in this scenario?
>
> IPsec doesn't protect against this at all, and the text needs to
> make this
> clear.
>
> Please take a look at the latest -10 security draft in progress to see if
> this addresses the issue:
>
> http://www.drizzle.com/~aboba/RDMA/draft-ietf-ips-security-10.txt
>

It does, thanks!

Best Regards,
Joseph D. Harwood
(408) 838-9434
jharwood@vesta-corp.com
www.vesta-corp.com

Franco Travostino, Director Content Internetworking Lab
Advanced Technology
Nortel Networks, Inc.
600 Technology Park
Billerica, MA 01821 USA
Tel: 978 288 7708 Fax: 978 288 4690
email: travos@nortelnetworks.com

References:
- RE: Review of -10 security draft
  - From: Ernest Dainow <Ernest.Dainow@mcdata.com>

Prev by Date: RE: RE: FW: FW: iSCSI: support value of ?
Next by Date: Re: iSCSI: key negotiation - Unrecognized value?
Prev by thread: RE: Review of -10 security draft
Next by thread: RE: Review of -10 security draft
Index(es):
- Date
- Thread

Home

Last updated: Wed Feb 20 18:18:00 2002
8816 messages in chronological order