SORT BY:

LIST ORDER
THREAD
AUTHOR
SUBJECT


SEARCH

IPS HOME


    [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

    iSCSI: Last call comments



    
    The iSCSI draft is looking pretty good.  I only have one last-call
    comment left:
    
    There are a few sections in iSCSI (and ips-security) that discuss
    IPsec requirements for "compliant/conformant implementations".  I
    recall that this meant a target implementation could either be a
    single device with both iSCSI and IPsec, or a combination of two
    devices, one that handles iSCSI; the other handling IPsec.  However,
    I couldn't find anywhere in the spec that spells this out either
    way, other than a hint at it in item [3] on page 31 of ips-security-13:
    
    > [3]  IPsec is provided by a device external to the actual iSCSI device.
    >      Here the iSCSI header and data CRCs can be kept across the part of
    >      the connection that is not protected by IPsec. For instance, the
    >      iSCSI connection could traverse an extra bus, interface card,
    >      network, interface card, and bus between the iSCSI device and the
    >      device providing IPsec. In this case, the iSCSI CRC is desirable,
    >      and the iSCSI implementation behind the IPsec device may request
    >      it.
    
    As there are many cases where it makes a lot of sense to provide
    the solution in two pieces (iSCSI in one or more devices, with one or
    more IPsec front-end devices, I'd like to clarify this.
    
    How about (somewhere in section 7) adding something like:
    
       An iSCSI compliant initiator or target may provide the required
       IPsec support either by itself, or in conjunction with an IPsec
       front-end device.
    
    Any thoughts?
    
    --
    Mark
    
    
    For reference, here are a few of the statements that would be
    helped out by the above.
    
    iscsi-14 Section 7.3.1:
    
       An iSCSI compliant initiator or target MUST provide data integrity 
       and authentication by implementing IPsec [RFC2401] with ESP [RFC2406] 
       in tunnel mode and MAY provide data integrity and authentication by 
       implementing IPsec with ESP in transport mode. The IPsec implementa-
       tion MUST fulfill the following iSCSI specific requirements:
    
    iscsi-14 Section 7.3.2:
    
       An iSCSI compliant initiator or target MUST provide confidentiality 
       by implementing IPsec [RFC2401] with ESP [RFC2406] in tunnel mode and 
       MAY provide confidentiality by implementing IPsec with ESP in trans-
       port mode. with the following iSCSI specific requirements:
    
    iscsi-14 Section 7.3.3:
    
         - Conformant iSCSI implementations MUST support IKE Main Mode 
               and SHOULD support Aggressive Mode. 
    
    ---
    ips-security-13 Section 2.3.1:
    
    All IP block storage security compliant implementations MUST support
    IPsec ESP [RFC2406] to provide security for both control packets and
    data packets, as well as the replay protection mechanisms of IPsec.
    When ESP is utilized, per-packet data origin authentication, integrity
    and replay protection MUST be used.
    
    
    -- 
    Mark A. Bakke
    Cisco Systems
    mbakke@cisco.com
    763.398.1054
    


Home

Last updated: Wed Jul 03 18:18:54 2002
11106 messages in chronological order