RE: iSCSI Security rough consensus

To: <Black_David@emc.com>, <someshg@yahoo.com>, <ips@ece.cmu.edu>
Subject: RE: iSCSI Security rough consensus
From: "Somesh Gupta" <someshg@yahoo.com>
Date: Fri, 4 May 2001 12:05:10 -0700
Content-Transfer-Encoding: 7bit
Content-Type: text/plain;charset="iso-8859-1"
Importance: Normal
In-reply-to: <0F31E5C394DAD311B60C00E029101A070801550D@corpmx9.isus.emc.com>
Reply-To: <someshg@yahoo.com>
Sender: owner-ips@ece.cmu.edu

David,

> -----Original Message-----
> From: Black_David@emc.com [mailto:Black_David@emc.com]
> Sent: Friday, May 04, 2001 11:58 AM
> To: someshg@yahoo.com; ips@ece.cmu.edu
> Subject: RE: iSCSI Security rough consensus
> 
> 
> > Does this consensus mean that the iSCSI header and data CRCs
> > are no longer part of the specification, or are we
> > still requiring one or the other or both?
> 
> Repeat after me: "CRCs are not security mechanisms" ;-)
> ;-), and see the previous email on this list about the
> consequences of WEP trying to use CRCs in this fashion.

  My only excuse is that I did not mean "CRCs are a security
  mechanism":-) I only meant that since ESP will provide
  integrity (and authentication), will we still have CRCs.
> 
> Yes, CRCs are still required for data integrity (e.g.,
> when ESP is not present).  If one knows that ESP with
> its keyed HMAC is being used in the stack between TCP and
> IP, then it would make sense not to use CRCs at the iSCSI
> level, hence they're required to implement, but configurable
> to use (which will also be the case for ESP).

  Sure would be nice if we could make up our minds and just
  implement one mechanism.

  Here we have two mechanisms (iSCSI header/data integrity
  and ESP) which are both mandatory to implement and 
  optional to use. Since ESP seems like a superset why not
  just have that and get rid of the "integrity only" iSCSI
  CRC mechanism.

  Hopefully this will lead to everyone implementing it and
  using it (leading to a better and more secure world :-)).  

> This may
> not always be possible, as one of the things mentioned
> in the meeting is that if the IPSec implementation is
> independent of iSCSI (e.g., supplied as part of the OS),
> there's no general standard way for iSCSI to figure out
> that IPSec is there or what it's doing to traffic on any
> particular iSCSI connection.
> 
> Thanks,
> --David
> 
> ---------------------------------------------------
> David L. Black, Senior Technologist
> EMC Corporation, 42 South St., Hopkinton, MA  01748
> +1 (508) 435-1000 x75140     FAX: +1 (508) 497-8500
> black_david@emc.com       Mobile: +1 (978) 394-7754
> ---------------------------------------------------

_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com

Follow-Ups:
- RE: iSCSI Security rough consensus
  - From: Bernard Aboba <aboba@internaut.com>

References:
- RE: iSCSI Security rough consensus
  - From: Black_David@emc.com

Prev by Date: RE: iSCSI Security rough consensus
Next by Date: RE: iSCSI Security rough consensus
Prev by thread: RE: iSCSI Security rough consensus
Next by thread: RE: iSCSI Security rough consensus
Index(es):
- Date
- Thread

Home

Last updated: Tue Sep 04 01:04:47 2001
6315 messages in chronological order