Re: FW: IPS-All: Reminder - Security draft last call ends Monday, July 1 at 8am EST

To: Black_David@emc.com
Subject: Re: FW: IPS-All: Reminder - Security draft last call ends Monday, July 1 at 8am EST
From: Paul Koning <ni1d@arrl.net>
Date: Mon, 1 Jul 2002 15:27:43 -0400
Cc: ips@ece.cmu.edu
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset=us-ascii
References: <277DD60FB639D511AC0400B0D068B71E0564BFF5@CORPMX14>
Sender: owner-ips@ece.cmu.edu

Excerpt of message (sent 1 July 2002) by Black_David@emc.com:
> One more round of lining up the iSCSI and IPS Security drafts.
>  
> --David
>  
> -----Original Message-----
> From: Julian Satran [mailto:Julian_Satran@il.ibm.com]
> Sent: Sunday, June 30, 2002 7:27 AM
> To: Ofer Biran
> Cc: bernard_aboba@hotmail.com; Black_David@emc.com; Elizabeth Rodriguez
> Subject: Re: IPS-All: Reminder - Security draft last call ends Monday, July
> 1 at 8am EST
> 
> 
> 
> see comments in text  - Julo 
> 
> 
> 
> 	Ofer Biran 
> 
> 
> 06/30/2002 11:43 AM 
> 
> 
> 
>         To:        Elizabeth Rodriguez <elizabeth.g.rodriguez@123mail.net>,
> Black_David@emc.com, bernard_aboba@hotmail.com, Julian
> Satran/Haifa/IBM@IBMIL 
>         cc:         
>         From:        Ofer Biran/Haifa/IBM@IBMIL 
>         Subject:        Re: IPS-All: Reminder - Security draft last call
> ends Monday, July 1 at 8am EST Link
> <Notes:///C225670D0041573F/38D46BF5E8F08834852564B500129B2C/3719071310B5B10A
> C2256BE50077269A>  
>   
> 
> 
> 
> 
> 
> 
> 
> These comments are from mandatory statements sync check 
> I made with the iSCSI draft: 
> 
> ====================== 
> 
> 2.3.1.  Transforms 
> "When ESP is utilized, per-packet data origin authentication, integrity 
> and replay protection MUST be used." 
> 
> In iSCSI, the replay protection is MUST implement (not MUST use): 
> 7.3.1 Data Integrity and Authentication 
> "The ESP anti-replay service MUST also be implemented." 
> 
> (I'm not sure if the security or iSCSI should be changed ? I think the 
> recent tendency was not to impose IPsec requirements unless they are 
> justified by IPS uniqueness compare to other IPsec usage scenarios) 
> 
> 
> +++ I assume security draft will be fixed +++ 

Because of the Bellovin attack on encryption-only ESP, I believe that
the first of the two statements is the right one.

There's a lot of argument that integrity should be mandatory in ESP
across the board.  The reason why it currently isn't (at least as far
as I understand from Steve Kent) is that integrity in the IPsec layer
is superfluous if cryptographic integrity is provided at a higher
layer.  That case doesn't apply in IPS, so the risk of Bellovin's
attack is real.

    paul

References:
- FW: IPS-All: Reminder - Security draft last call ends Monday, July 1 at 8am EST
  - From: Black_David@emc.com

Prev by Date: RE: plug fest and draft 14.
Next by Date: RE: IPS-All: Reminder - Security draft last call ends Monday, Jul y 1 at 8am EST
Prev by thread: FW: IPS-All: Reminder - Security draft last call ends Monday, July 1 at 8am EST
Next by thread: RE: IPS-All: Reminder - Security draft last call ends Monday, July 1 at 8am EST
Index(es):
- Date
- Thread

Home

Last updated: Mon Jul 01 19:18:49 2002
11058 messages in chronological order