----- Original Message -----
Sent: Thursday, July 04, 2002 2:52
AM
Subject: RE: iSCSI: Last call
comments
I support David's suggested clarification and his suggested
wording. I struggled for a while understanding this issue and the suggested
changes make things much clearer.
Mike Smith
CTO, iReady
-----Original Message-----
From: Black_David@emc.com [mailto:Black_David@emc.com]
Sent: Wednesday, July 03, 2002 2:54 PM
To: mbakke@cisco.com; ips@ece.cmu.edu
Subject: RE: iSCSI: Last call comments
Mark,
> There are a few sections in iSCSI (and ips-security) that
discuss
> IPsec requirements for
"compliant/conformant implementations". I
>
recall that this meant a target implementation could either be a
> single device with both iSCSI and IPsec, or a
combination of two
> devices, one that handles
iSCSI; the other handling IPsec.
In the two device combination, only the combination is
compliant,
and only at the interface(s) that
provide(s) both iSCSI and IPsec.
The iSCSI device in
the combination is not compliant by itself
because it
does not provide IPsec.
> As there are many cases where it makes a lot of sense to
provide
> the solution in two pieces (iSCSI in one
or more devices, with one or
> more IPsec front-end
devices, I'd like to clarify this.
>
> How about (somewhere in section 7) adding
something like:
>
> An iSCSI compliant initiator or target may
provide the required
> IPsec
support either by itself, or in conjunction with an IPsec
> front-end device.
>
> Any thoughts?
It would need to have the word "compliant" removed and a
sentence
added to spell out what is compliant, along
the lines of:
An iSCSI initiator or target may provide
the required
IPsec support either
by itself, or in conjunction with an IPsec
front-end device. In the latter case only the
combination
complies with the
requirements of this specification; the
individual iSCSI initiator or target would not
comply with
the requirements of
this specification due to the lack of IPsec
support.
It's probably a good idea to put this in.
Thanks,
--David
---------------------------------------------------
David L. Black, Senior Technologist
EMC
Corporation, 42 South St., Hopkinton, MA 01748
+1 (508)
249-6449
FAX: +1 (508) 497-8018
black_david@emc.com Mobile: +1
(978) 394-7754
---------------------------------------------------
> -----Original Message-----
>
From: Mark Bakke [mailto:mbakke@cisco.com]
> Sent: Wednesday, July 03, 2002 5:48 PM
> To: IPS
> Subject: iSCSI: Last call
comments
>
>
>
> The iSCSI draft is
looking pretty good. I only have one last-call
> comment left:
>
> There are a few sections in iSCSI (and ips-security) that
discuss
> IPsec requirements for
"compliant/conformant implementations". I
>
recall that this meant a target implementation could either be a
> single device with both iSCSI and IPsec, or a
combination of two
> devices, one that handles
iSCSI; the other handling IPsec. However,
> I
couldn't find anywhere in the spec that spells this out either
> way, other than a hint at it in item [3] on page 31 of
> ips-security-13:
>
> > [3] IPsec is provided by a device
external to the actual
> iSCSI device.
> > Here the iSCSI header
and data CRCs can be kept across
> the part
of
> > the
connection that is not protected by IPsec. For
>
instance, the
> >
iSCSI connection could traverse an extra bus, interface card,
> > network, interface card, and
bus between the iSCSI
> device and the
> > device providing
IPsec. In this case, the iSCSI CRC is
>
desirable,
> > and
the iSCSI implementation behind the IPsec device
>
may request
> >
it.
>
> As there are
many cases where it makes a lot of sense to provide
> the solution in two pieces (iSCSI in one or more devices, with one
or
> more IPsec front-end devices, I'd like to
clarify this.
>
> How
about (somewhere in section 7) adding something like:
>
> An iSCSI compliant
initiator or target may provide the required
> IPsec support either by itself, or in
conjunction with an IPsec
>
front-end device.
>
>
Any thoughts?
>
>
--
> Mark
>
>
> For reference, here
are a few of the statements that would be
> helped
out by the above.
>
>
iscsi-14 Section 7.3.1:
>
> An iSCSI compliant initiator or target MUST
provide data integrity
> and
authentication by implementing IPsec [RFC2401] with
> ESP [RFC2406]
> in
tunnel mode and MAY provide data integrity and
>
authentication by
> implementing
IPsec with ESP in transport mode. The IPsec
>
implementa-
> tion MUST fulfill
the following iSCSI specific requirements:
>
> iscsi-14 Section 7.3.2:
>
> An iSCSI compliant
initiator or target MUST provide
> confidentiality
> by implementing IPsec [RFC2401]
with ESP [RFC2406] in
> tunnel mode and
> MAY provide confidentiality by
implementing IPsec with ESP
> in trans-
> port mode. with the following iSCSI
specific requirements:
>
> iscsi-14 Section 7.3.3:
>
> - Conformant iSCSI
implementations MUST support IKE Main Mode
>
and SHOULD support Aggressive Mode.
>
> ---
> ips-security-13
Section 2.3.1:
>
> All
IP block storage security compliant implementations MUST support
> IPsec ESP [RFC2406] to provide security for both control
packets and
> data packets, as well as the replay
protection mechanisms of IPsec.
> When ESP is
utilized, per-packet data origin authentication, integrity
> and replay protection MUST be used.
>
>
> --
> Mark A. Bakke
> Cisco Systems
> mbakke@cisco.com
>
763.398.1054
>