|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: FW: IPS-All: Reminder - Security draft last call ends Monday, Jul y 1 at 8am ESTExcerpt of message (sent 1 July 2002) by Black_David@emc.com: > > > 2.3.1. Transforms "When ESP is utilized, per-packet data origin > > > authentication, integrity and replay protection MUST be used." > > > > > > In iSCSI, the replay protection is MUST implement (not MUST use): > > > 7.3.1 Data Integrity and Authentication > > > "The ESP anti-replay service MUST also be implemented." > > > > > > (I'm not sure if the security or iSCSI should be changed ? > > I think the recent tendency was not to impose IPsec requirements unless > > they are justified by IPS uniqueness compare to other IPsec usage > scenarios) > > > > > > > > > +++ I assume security draft will be fixed +++ > > > > Because of the Bellovin attack on encryption-only ESP, I believe that > > the first of the two statements is the right one. > > > > There's a lot of argument that integrity should be mandatory in ESP > > across the board. The reason why it currently isn't (at least as far > > as I understand from Steve Kent) is that integrity in the IPsec layer > > is superfluous if cryptographic integrity is provided at a higher > > layer. That case doesn't apply in IPS, so the risk of Bellovin's > > attack is real. > > Paul - this is only about the anti-replay service, it does not propose > to change the current iSCSI and IPS Security draft mandates that integrity > be "mandatory in ESP across the board". Are you concerned that anti-replay > should also be mandatory across the board? Ok, I didn't realize we're only talking about anti-replay. Technically it's optional separately from integrity. In practice, once you have integrity, the sequence checking is trivial, so I don't really understand why ESP does that. So while I don't see a specific security hazard from leaving it out, I also see no good argument for that flexibilty. paul
Home Last updated: Mon Jul 01 19:18:49 2002 11058 messages in chronological order |