RE: FW: IPS-All: Reminder - Security draft last call ends Monday, Jul y 1 at 8am EST

[Black_David@emc.com]

> > 2.3.1.  Transforms "When ESP is utilized, per-packet data origin
> > authentication, integrity and replay protection MUST be used." 
> > 
> > In iSCSI, the replay protection is MUST implement (not MUST use): 
> > 7.3.1 Data Integrity and Authentication 
> > "The ESP anti-replay service MUST also be implemented." 
> > 
> > (I'm not sure if the security or iSCSI should be changed ? 
> I think the recent tendency was not to impose IPsec requirements unless
> they are justified by IPS uniqueness compare to other IPsec usage
scenarios) 
> > 
> > 
> > +++ I assume security draft will be fixed +++ 
> 
> Because of the Bellovin attack on encryption-only ESP, I believe that
> the first of the two statements is the right one.
> 
> There's a lot of argument that integrity should be mandatory in ESP
> across the board.  The reason why it currently isn't (at least as far
> as I understand from Steve Kent) is that integrity in the IPsec layer
> is superfluous if cryptographic integrity is provided at a higher
> layer.  That case doesn't apply in IPS, so the risk of Bellovin's
> attack is real.

Paul - this is only about the anti-replay service, it does not propose
to change the current iSCSI and IPS Security draft mandates that integrity
be "mandatory in ESP across the board".  Are you concerned that anti-replay
should also be mandatory across the board?

Thanks,
--David
---------------------------------------------------
David L. Black, Senior Technologist
EMC Corporation, 42 South St., Hopkinton, MA  01748
+1 (508) 249-6449 *NEW*      FAX: +1 (508) 497-8500
black_david@emc.com         Cell: +1 (978) 394-7754
---------------------------------------------------