Keith Moore: Re: Storage over Ethernet/IP

To: ips@ece.cmu.edu
Subject: Keith Moore: Re: Storage over Ethernet/IP
From: Dave Nagle <bassoon@yogi.ece.cmu.edu>
Date: Fri, 26 May 2000 13:08:34 -0400
Delivery-Date: Fri May 26 13:08:46 2000
Sender: owner-ips@ece.cmu.edu

------- Forwarded Message

Date:    Fri, 26 May 2000 11:33:17 -0400
From:    Keith Moore <moore@cs.utk.edu>
To:      Brian.Rubarts@born.com
cc:      moore@cs.utk.edu, ietf@ietf.org
Subject: Re: Storage over Ethernet/IP 

> >> It won't run over the Internet because of latencies inherent on the 
> >> public network.
> 
> >at least for some storage applications, latency is not as important
> >as bandwidth.  e.g. you can do backups over a high-latency medium
> >as long as your bandwidth is adequate (though recovery from write 
> >errors gets a bit tricky).
> 
> Backups could go through VPNs, I suppose.  

except that you can't assume the presence of a VPN either.  you need 
authenticity and privacy specified as part of the storage access protocol.

> I suppose infrequently used and low
> priority files could also be accessed over the 'net.

yes, but file access protocols are better for this purpose.  
I don't see wanting to mount a raw disk drive 
across the public Internet very often.  
(except perhaps read-only... virtual cdrom, anyone?)

> >> It will run over incredibly fast Packet over SONET Wide Area
> >> Networks--behind firewalls.
> 
> >...it's 
> >inappropriate to assume that it will always be used behind firewalls...
> 
> If the larger network that is employing this technology doesn't hire a
> decent consultant, you might be right.  If they do, it will ALWAYS 
> be behind a firewall :-)

any consultant who pretends that firewalls provide security cannot
be described as 'decent'.

> >Firewalls don't help with the majority of security threats...
> 
> True, but whether the server accesses the disks via SCSI over TCP or SCSI
> over Fibre Channel, the SERVER is still the weak link.  

un, no.  SCSI has some inherent length/delay/number-of-stations 
limitations.  but if the disk is accessible using TCP,  there is a 
significant probability that it will be accessible from the global 
Internet and/or from local threats who have physical access to the
transmission medium, and the storage access protocol needs to assume 
that this is the case.

> The transport protocol doesn't create any inherent weaknesses of 
> the type you are refering to--e-mail borne viruses, internal hackers, etc.  

you're assuming a different threat model than I am.  I am indeed
assuming that storage devices will be targed, in addition to servers.

> The server would still be the attack point.  Why goodness, 
> the server and storage devices could be in a VLAN or something to deny
> direct hack attempts against the storage device

yes, they *could* be.  but you cannot assume that they *will* be.

> but the chink in the armor is how hardened is your OS?

there's more than one chink in the armor.

IP-based protocols need to be able to work in the global Internet.

Keith

------- End of Forwarded Message

Prev by Date: Karl Auerbach: Re: Storage over Ethernet/IP
Next by Date: Valdis.Kletnieks@vt.edu: Re: Storage over Ethernet/IP
Prev by thread: Keith Moore: Re: Storage over Ethernet/IP
Next by thread: Brian.Rubarts@born.com: RE: Storage over Ethernet/IP
Index(es):
- Date
- Thread

Home

Last updated: Tue Sep 04 01:08:15 2001
6315 messages in chronological order