RE: Security Use Requirements

[Joshua Tseng <jtseng@NishanSystems.com>]

Bernard,

> >I think there is only one per connection.
> >But by carefull handling at both ends the connection should 
> be able to
> >share the same context.
> 
> If each iSCSI authentication corresponds to a different initiator port
> number, then there is indeed only one per connection (IKE QM SA). The
> IP header and IPSEC SPI then link back to the IKE QM SA which in turn
> has a link to the IKE MM SA. Thus it is possible to link a given
> packet back to the identity used in the IKE MM negotiation.
> 
> This implies that a given WWUI is authorized for use on only one
> 5-tuple, and iSCSI needs to enforce this restriction. If a packet
> for the wrong WWUI arrives on a 5-tuple then iSCSI needs to discard
> it. In effect, this results in a hard mapping of WWUI to 5-tuple.

I think the WWUI only exists on the iSCSI login PDU, right?.  As far as I
know, that is the only place it shows up.  If this is correct, then it is
neither a practical nor efficient use of resources to for iSCSI to
cross-check the WWUI with the IKE SA.

I think it is fine enough for IKE to initiate a new IKE SA (let the
implementor decide if it's MM or QM) every time it detects a new TCP
connection (which implicitly means a new iSCSI login).  But I question that
even this should be MANDATORY, because most IPSec/IKE implementations are
triggered and keyed only by destination IP address.  If an implementor
wants to put all their iSCSI sessions on the same IPSec SA, I think they
should have that liberty.

Josh

> IPSEC can then be relied upon to make sure that traffic on a 5-tuple
> is integrity protected (and confidential if requested) and was sent
> by the entity that negotiated the IKE MM and QM SAs under which it
> was sent.
> 
> Does this meet your needs?
> 
>