Relation between iSCSI session and IPSec SAs

To: "'ips@ece.cmu.edu'" <ips@ece.cmu.edu>
Subject: Relation between iSCSI session and IPSec SAs
From: Christina Helbig <cbh@zyfer.com>
Date: Mon, 29 Apr 2002 11:42:29 -0700
Content-Type: text/plain;charset="iso-8859-1"
Sender: owner-ips@ece.cmu.edu

Hi,
I have a question regarding the relation between iSCSI session and the IPsec
SAs. 
From the minutes of Minneapolis:
"...a single IPSec Phase 2 SA per TCP connection ...had no security value." 
I agree and like to extend this:
"...a single IKE negotiation per multiple iSCSI session (between the same IP
addresses of initiator and target) ...had no security value." 
I found a similar statement in the mailing list from February but no
discussion about this issue:
"If an implementor wants to put all their iSCSI sessions on the same IPSec
SA, I think they should have that liberty."
So the question is, what is the situation? Must we negotiate per multiple
session (and evaluate packets additional for a session identifier) or must
we not?
Thank you for the answer.


Christina Helbig
Sr. Security System Analyst
Zyfer
cbh@zyfer.com
tel: 714 780 7618
fax:714 780 7649

Follow-Ups:
- Re: Relation between iSCSI session and IPSec SAs
  - From: "Jussi Kukkonen" <kukkonen@ssh.com>

Prev by Date: Re: iSCSI: PAK: an alternative to SRP and DH-CHAP
Next by Date: iSCSI: large keys during login?
Prev by thread: Re: iSCSI: Active and Passive attacks
Next by thread: Re: Relation between iSCSI session and IPSec SAs
Index(es):
- Date
- Thread

Home

Last updated: Tue Apr 30 15:18:26 2002
9894 messages in chronological order