RE: Security Use Requirements

To: Joshua Tseng <jtseng@NishanSystems.com>
Subject: RE: Security Use Requirements
From: julian_satran@il.ibm.com
Date: Sat, 10 Feb 2001 09:22:50 +0200
cc: Bernard Aboba <aboba@internaut.com>, ips@ece.cmu.edu
Content-Disposition: inline
Content-type: text/plain; charset=us-ascii
Sender: owner-ips@ece.cmu.edu



Josh,

The connections are disjoint allways and the IPSec context is per
connection.
There is no issue here.  iSCSI does not allow 1 session to several targets.
The target sellector is used only at connection setup and the connections
to different targets are disjoint (even if they use the same target port -
the initiator address+port has to be distinct in this case).

Regards,
Julo

Joshua Tseng <jtseng@NishanSystems.com> on 09/02/2001 21:11:54

Please respond to Joshua Tseng <jtseng@NishanSystems.com>

To:   Bernard Aboba <aboba@internaut.com>
cc:   ips@ece.cmu.edu
Subject:  RE: Security Use Requirements




>
> >I think there is a much easier way than the two methods you
> describe below.
> >If the iSCSI authentication is taking place using the SA
> negotiated by IKE,
> >then you have an implicit relationship between IKE and iSCSI
> authentication,
> >right?
>
> That would be fine if there is only one iSCSI authentication
> per IKE QM
> SA. Is that realistic?
>

Yes, you have a point in that multiple iSCSI devices MAY exist behind the
same IP address, and each device would be sharing the same IKE SA if they
were talking to the same peer IP address.  This would be the case for a
storage device that had multiple WWUI's.  It could also happen if the IP
address/IKE endpoint was a security gateway, and there was a network behind
it supporting multiple iSCSI devices.

As I mentioned before, physical security is needed to handle each of these
cases, to ensure a hostile entity can't use the same IP address that was
authenticated by IKE.  In the former case, physical security is pretty much
assured, since both IKE/IPSec and the
multiple iSCSI WWUI's share not only the same physical box, but also the
same TCP stack. In the latter, yes of course additional measures MUST be
taken to ensure there are no hostile entities living behind a security
gateway.

Sure, an implementation geared to the paranoid user could do what you
prescribed in your previous message (but your suggestions only make sense
for a native iSCSI device).  But I don't think these measures should be a
MUST.  Physical security is a non-negotiable requirement in both cases, and
especially in the standalone security gateway scenario, this is a quite
well
understood requirement in the security architecture document RFC 2401 when
it describes tunnel mode.

Josh

Prev by Date: RE: Security Use Requirements
Next by Date: RE: Security Use Requirements
Prev by thread: RE: Security Use Requirements
Next by thread: RE: Security Use Requirements
Index(es):
- Date
- Thread

Home

Last updated: Tue Sep 04 01:05:32 2001
6315 messages in chronological order