RE: Security Use Requirements

To: <julian_satran@il.ibm.com>
Subject: RE: Security Use Requirements
From: "Bernard Aboba" <aboba@internaut.com>
Date: Tue, 6 Feb 2001 13:21:14 -0800
Cc: <Black_David@emc.com>, <ips@ece.cmu.edu>, "RJ Atkinson" <rja@inet.org>, "Smb@Research. Att. Com" <smb@research.att.com>, <biran@il.ibm.com>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain;charset="us-ascii"
Importance: Normal
In-Reply-To: <C12569EB.005B41BC.00@d12mta02.de.ibm.com>
Sender: owner-ips@ece.cmu.edu

>Both IPSec and TLS will be in the standard.   

Including *both* IPSEC and TLS as options will probably result
in both much higher cost to customers as well as fewer vendors
implementing either. Choosing one or the other (IPSEC is my 
preference) would be a better choice.

In general, it is a bad idea to have too many security options in
a standard. Options are bad because you have to implement them
to be able to interoperate with those people who do, yet you cannot
guarantee that the work will be used. In particular, including both
IPSEC and TLS would cause vendors to try to implement both on
the same NIC, since they could never be sure which security scheme
would be used on a given iSCSI target. This would drive up the cost 
enormously since the acceleration architectures are very different 
between the protocols. 

>As we are talking about speeds that will be in excess of 1GBs 
>even on modest disk controllers we were all hesitant if to make 
>anything in this category mandatory to implement today.

As Ran noted, making implementation mandatory doesn't mean that
users have to turn it on. But not making it mandatory will probably
ensure that security will not be available in most cases. Given
the modest cost of adding IPSEC acceleration hardware (today
IPSEC accelerated NICs are available for around $100) it is hard
to see how this would be a worthwhile tradeoff. 

Right now, SSL/TLS acceleration hardware is a lot more expensive than
IPSEC accelerators (at least $2000), so I could understand if SSL/TLS
were left out of the standard.

>We assume that all those who require security beyond CRC 

CRC provides only integrity protection, but since it is not keyed,
there is no per-packet authentication or protection against spoofing
or modification. CRC therefore has little or no security value. 

> session authentication 

All session authentication does is guarantee the user identity
at the beginning of the session. Unless you have per-packet
authentication and integrity protection, all bets are off after
that. In particular, session authentication provides no protection
against TCP session hijacking. 

>However those that build a Storage Area Newtork within a 
>small enterprise completely isolated from the
>internet will not have to pay for what they do not need.

Actually, the decision made above will guarantee that all users
will need to pay a huge incremental cost for security, because
of the over abundance of security options. In reality, given the
projected cost of 1+ Gbps iSCSI accelerated adapters, the incremetal 
cost of implementing IPSEC security would be minimal.

Prev by Date: RE: Security Use Requirements
Next by Date: RE: Security Use Requirements
Prev by thread: RE: Security Use Requirements
Next by thread: RE: Security Use Requirements
Index(es):
- Date
- Thread

Home

Last updated: Tue Sep 04 01:05:35 2001
6315 messages in chronological order