|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: FW: IPS-All: Reminder - Security draft last call ends Monday, Jul y 1 at 8am EST> > 2.3.1. Transforms "When ESP is utilized, per-packet data origin > > authentication, integrity and replay protection MUST be used." > > > > In iSCSI, the replay protection is MUST implement (not MUST use): > > 7.3.1 Data Integrity and Authentication > > "The ESP anti-replay service MUST also be implemented." > > > > (I'm not sure if the security or iSCSI should be changed ? > I think the recent tendency was not to impose IPsec requirements unless > they are justified by IPS uniqueness compare to other IPsec usage scenarios) > > > > > > +++ I assume security draft will be fixed +++ > > Because of the Bellovin attack on encryption-only ESP, I believe that > the first of the two statements is the right one. > > There's a lot of argument that integrity should be mandatory in ESP > across the board. The reason why it currently isn't (at least as far > as I understand from Steve Kent) is that integrity in the IPsec layer > is superfluous if cryptographic integrity is provided at a higher > layer. That case doesn't apply in IPS, so the risk of Bellovin's > attack is real. Paul - this is only about the anti-replay service, it does not propose to change the current iSCSI and IPS Security draft mandates that integrity be "mandatory in ESP across the board". Are you concerned that anti-replay should also be mandatory across the board? Thanks, --David --------------------------------------------------- David L. Black, Senior Technologist EMC Corporation, 42 South St., Hopkinton, MA 01748 +1 (508) 249-6449 *NEW* FAX: +1 (508) 497-8500 black_david@emc.com Cell: +1 (978) 394-7754 ---------------------------------------------------
Home Last updated: Mon Jul 01 17:18:52 2002 11050 messages in chronological order |