RE: Security Use Requirements

[RJ Atkinson <rja@inet.org>]

At 16:21 06/02/01, John Hufferd wrote:

>I think that Julian addressed this, but, an installation might want only
>the connection to the local environment, and if so administratively tell
>the iSCSI ends to not do the encryption etc.  Especially if some of the
>ends are Laptops and Desktops.  But all side must implement the features.

        Implement != turn on operationally.  The above explains
why clever vendors might have a configuration knob to turn off
security.  The above does NOT make any kind of case for not 
always *implementing* security.

>By the way you might have slightly overstated the IPSec chips going at full
>gig speed, when you talk about triple Des.  And if there are some they are
>not within the normal costs one would expect for a iSCSI NIC HBA.

        So if you believe the costs are so high, implement single DES.
For a lot of threat environments DES-CBC is sufficient and it surely beats the hell out of nothing.  By the way, the crypto parts vendors 
that I'm talking with must be giving me better prices than you, 
which I find surprising, since by the parts quotes I'm seeing
Bernard's math works just fine.

        Nothing anyone has said here has given any kind of reasonable
excuse to not make implementing security mandatory.  There has been
lots of rationale for making it optional for the user to turn on
for a given box, but nothing for making it optional to implement.
(Implement in the box != deploy operationally).

Ran
rja@inet.org