SORT BY:

LIST ORDER
THREAD
AUTHOR
SUBJECT


SEARCH

IPS HOME


    [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

    Re: FW: IPS-All: Reminder - Security draft last call ends Monday, July 1 at 8am EST



    Excerpt of message (sent 1 July 2002) by Black_David@emc.com:
    > One more round of lining up the iSCSI and IPS Security drafts.
    >  
    > --David
    >  
    > -----Original Message-----
    > From: Julian Satran [mailto:Julian_Satran@il.ibm.com]
    > Sent: Sunday, June 30, 2002 7:27 AM
    > To: Ofer Biran
    > Cc: bernard_aboba@hotmail.com; Black_David@emc.com; Elizabeth Rodriguez
    > Subject: Re: IPS-All: Reminder - Security draft last call ends Monday, July
    > 1 at 8am EST
    > 
    > 
    > 
    > see comments in text  - Julo 
    > 
    > 
    > 
    > 	Ofer Biran 
    > 
    > 
    > 06/30/2002 11:43 AM 
    > 
    > 
    > 
    >         To:        Elizabeth Rodriguez <elizabeth.g.rodriguez@123mail.net>,
    > Black_David@emc.com, bernard_aboba@hotmail.com, Julian
    > Satran/Haifa/IBM@IBMIL 
    >         cc:         
    >         From:        Ofer Biran/Haifa/IBM@IBMIL 
    >         Subject:        Re: IPS-All: Reminder - Security draft last call
    > ends Monday, July 1 at 8am EST Link
    > <Notes:///C225670D0041573F/38D46BF5E8F08834852564B500129B2C/3719071310B5B10A
    > C2256BE50077269A>  
    >   
    > 
    > 
    > 
    > 
    > 
    > 
    > 
    > These comments are from mandatory statements sync check 
    > I made with the iSCSI draft: 
    > 
    > ====================== 
    > 
    > 2.3.1.  Transforms 
    > "When ESP is utilized, per-packet data origin authentication, integrity 
    > and replay protection MUST be used." 
    > 
    > In iSCSI, the replay protection is MUST implement (not MUST use): 
    > 7.3.1 Data Integrity and Authentication 
    > "The ESP anti-replay service MUST also be implemented." 
    > 
    > (I'm not sure if the security or iSCSI should be changed ? I think the 
    > recent tendency was not to impose IPsec requirements unless they are 
    > justified by IPS uniqueness compare to other IPsec usage scenarios) 
    > 
    > 
    > +++ I assume security draft will be fixed +++ 
    
    Because of the Bellovin attack on encryption-only ESP, I believe that
    the first of the two statements is the right one.
    
    There's a lot of argument that integrity should be mandatory in ESP
    across the board.  The reason why it currently isn't (at least as far
    as I understand from Steve Kent) is that integrity in the IPsec layer
    is superfluous if cryptographic integrity is provided at a higher
    layer.  That case doesn't apply in IPS, so the risk of Bellovin's
    attack is real.
    
        paul
    
    


Home

Last updated: Mon Jul 01 19:18:49 2002
11058 messages in chronological order