Re: iSCSI Security Protocol

To: Joshua Tseng <jtseng@NishanSystems.com>
Subject: Re: iSCSI Security Protocol
From: Yaron Klein <klein@sanrad.com>
Date: Thu, 21 Sep 2000 11:21:26 +0100
CC: ips@ece.cmu.edu
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset=us-ascii
Organization: SANRAD
References: <E051A48C0B57D411B975009027295E81202B76@IS~SERVER1>
Sender: owner-ips@ece.cmu.edu

Hi Joshua,

Mark Bakke, Kalman Meth, Costa and I are now working on the new scheme of
security within the iSCSI. The key points so far are:

For full security (authentication and encryption) use external protocol, e.g.,
IPsec. You can define an IPsec policy for encrypting everything (not feasible
for most cases) or just the first 48 bytes (headers) and so on.

However, IPsec may cause some problems since it is IP oriented (connection
oriented and not session oriented). Moreover, you are forcing the client to have
IPsec, which is not always true.

The security scheme in the iSCSI draft includes authorization and
authentication. The authorization is done in the login phase with the
negotiation (detailed in the draft), and authentication is achieved by a trailer
that checks the integrity of the data and the header (either simple CRC or some
mac algorithm).

Everything is flexible and negotiable.

I hope we release the new draft very soon.

Regards,

Yaron

Joshua Tseng wrote:

> I just did a brief review of the document draft-klein-iscsi-security-00.txt.
> What is the current consensus (if any) on this document?  Is there
> agreement to use SSH as the security mechanism for iSCSI?
>
> Josh

References:
- iSCSI Security Protocol
  - From: Joshua Tseng <jtseng@NishanSystems.com>

Prev by Date: Re: iSCSI: Flow Control
Next by Date: Re: iSCSI: Flow Control
Prev by thread: iSCSI Security Protocol
Next by thread: RE: iSCSI Security Protocol
Index(es):
- Date
- Thread

Home

Last updated: Tue Sep 04 01:07:08 2001
6315 messages in chronological order