|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] iSCSI: Last call commentsThe iSCSI draft is looking pretty good. I only have one last-call comment left: There are a few sections in iSCSI (and ips-security) that discuss IPsec requirements for "compliant/conformant implementations". I recall that this meant a target implementation could either be a single device with both iSCSI and IPsec, or a combination of two devices, one that handles iSCSI; the other handling IPsec. However, I couldn't find anywhere in the spec that spells this out either way, other than a hint at it in item [3] on page 31 of ips-security-13: > [3] IPsec is provided by a device external to the actual iSCSI device. > Here the iSCSI header and data CRCs can be kept across the part of > the connection that is not protected by IPsec. For instance, the > iSCSI connection could traverse an extra bus, interface card, > network, interface card, and bus between the iSCSI device and the > device providing IPsec. In this case, the iSCSI CRC is desirable, > and the iSCSI implementation behind the IPsec device may request > it. As there are many cases where it makes a lot of sense to provide the solution in two pieces (iSCSI in one or more devices, with one or more IPsec front-end devices, I'd like to clarify this. How about (somewhere in section 7) adding something like: An iSCSI compliant initiator or target may provide the required IPsec support either by itself, or in conjunction with an IPsec front-end device. Any thoughts? -- Mark For reference, here are a few of the statements that would be helped out by the above. iscsi-14 Section 7.3.1: An iSCSI compliant initiator or target MUST provide data integrity and authentication by implementing IPsec [RFC2401] with ESP [RFC2406] in tunnel mode and MAY provide data integrity and authentication by implementing IPsec with ESP in transport mode. The IPsec implementa- tion MUST fulfill the following iSCSI specific requirements: iscsi-14 Section 7.3.2: An iSCSI compliant initiator or target MUST provide confidentiality by implementing IPsec [RFC2401] with ESP [RFC2406] in tunnel mode and MAY provide confidentiality by implementing IPsec with ESP in trans- port mode. with the following iSCSI specific requirements: iscsi-14 Section 7.3.3: - Conformant iSCSI implementations MUST support IKE Main Mode and SHOULD support Aggressive Mode. --- ips-security-13 Section 2.3.1: All IP block storage security compliant implementations MUST support IPsec ESP [RFC2406] to provide security for both control packets and data packets, as well as the replay protection mechanisms of IPsec. When ESP is utilized, per-packet data origin authentication, integrity and replay protection MUST be used. -- Mark A. Bakke Cisco Systems mbakke@cisco.com 763.398.1054
Home Last updated: Wed Jul 03 18:18:54 2002 11106 messages in chronological order |