Re: Storage over Ethernet/IP

To: Brian.Rubarts@born.com
Subject: Re: Storage over Ethernet/IP
From: "Steven M. Bellovin" <smb@research.att.com>
Date: Sat, 27 May 2000 10:11:39 -0400
Cc: moore@cs.utk.edu, ietf@ietf.org
Content-Type: text/plain; charset=us-ascii
Delivery-Date: Sat May 27 10:40:04 2000
Sender: smb@research.att.com

In message <A427D1278F7CD311B1670008C7FAA62AC89F1F@CORPNT3>, Brian.Rubarts@born
.com writes:
>
>>> Encryption will be offloaded to the network interface.  ASICs on the NICs
>>> will greatly improve encryption and authentication performance.
>
>>all well and good, provided that this encryption and authentication
>>are actually compatible with that specified by higher level protocols
>>and the authentication actually meets the needs of users.  
>>(if your network interface needs to use and verify users' credentials,
>>as opposed to the host's credentials, it might be a stretch.)
>
>A network server will still authenticate user requests.  Only the host
>needs to be authenticated with the disk/disks.
>
Up to a point.  Yes, there are NICs available today with IPsec on-card. 
But given the prevalence of -- how shall I put this? -- single-user 
computers with user physical access, no OS protection and crufty software,
you really need user-granularity protection of the file access 
requests.  NFS-style protection with host authentication works if and only
if the server trusts the remote system to authenticate its users.  
That's demonstrably not true today.  

Yes, IPsec does, in theory, support user-granularity protection.  
That's very hard to do when you're using outboard IPsec implementations,
since you then need some way to pass the user's credentials (generally 
a certificate, not a user-id) back to the host, and tie every received 
packet to that identity.  It can be done, but (speaking as one of the 
primary participants in the IPsec development effort) I'm not impressed 
with its applicability in this case. 
>
>>> It will run over incredibly fast Packet over SONET Wide Area
>>> Networks--behind firewalls.
>
>>...it's 
>>inappropriate to assume that it will always be used behind firewalls...
>
>If the larger network that is employing this technology doesn't hire a
>decent
>consultant, you might be right.  If they do, it will ALWAYS be behind a
>firewall :-)
>
Speaking as someone whose firewall credentials are more or less beyond 
reproach, you're wrong -- period.  *Many* such uses will be behind 
firewalls.  Others won't.  The large corporate firewall is a dinosaur, 
because of extranets, telecommuters, unofficial links through or around 
the firewall, etc.  Comprehensive firewalls generally can't protect a 
network larger than one run by a single systems administrator (or, in 
some cases, a systems administration group); otherwise, they don't know 
where the links are.

And even when one sysadmin runs the net, what does he or she do when 
word comes down from the pointy-haired layer of the stack that there 
*will* be a VPN link to a joint venture partner?

Like it says on the (U.S.) toothpaste tubes -- firewalls can be an 
effective security measure when used as part of a program 
including good network hygiene and decent authentication.  But they're 
not magic security pixie dust, and they're not a substitute for 
authentication in the protocol.

		--Steve Bellovin

Prev by Date: RE: Storage over Ethernet/IP
Next by Date: Re: Peter Johansson: Re: IETF mailing list question on Storage over Ethernet/IP
Prev by thread: RE: Storage over Ethernet/IP
Next by thread: Re: new working version of the iSCSI ID
Index(es):
- Date
- Thread

Home

Last updated: Tue Sep 04 01:08:15 2001
6315 messages in chronological order