RE: iSCSI Security rough consensus

[Black_David@emc.com]

I read this as violent agreement with what
I posted.  Thanks, --David

> -----Original Message-----
> From:	Joshua Tseng [SMTP:jtseng@nishansystems.com]
> Sent:	Friday, May 04, 2001 3:30 PM
> To:	'Black_David@emc.com'; ips@ece.cmu.edu
> Subject:	RE: iSCSI Security rough consensus
> 
> See below:
> > 
> > By comparison to full IPSec with IKE, using
> > SRP to key ESP does not improve security.
> > The underlying issue is IKE complexity (i.e.,
> > the code and effort required to implement it).
> > 
> > Hence the rationale for using SRP to key
> > ESP is that it provides dynamic key
> > generation without implementing IKE -- this
> > is an improvement over pre-shared keys at
> > a much lower code and effort cost for a
> > single-box (i.e., no external security gateway)
> > implementation.
> 
> What I think I'm hearing you say is that you
> are evaluating whether to REQUIRE SRP keying of
> ESP/IPSec because its easier to do than IKE.
> If so, then in the first place, I don't think that
> is an appropriate justification for a requirement.
> In the second place, I'm not sure I even agree with
> that statement--there are many off-the-shelf IKE
> implementations which can be easily leveraged for
> iSCSI with little or no modification.  IKE doesn't
> need to be conscious of the application (i.e., iSCSI)
> being protected by IPSec.
> 
> I also agree with Bernard that this issue is not
> specific to iSCSI, and belongs in the security WG.
> 
> Josh
> > 
> > Thanks,
> > --David
> > 
> > ---------------------------------------------------
> > David L. Black, Senior Technologist
> > EMC Corporation, 42 South St., Hopkinton, MA  01748
> > +1 (508) 435-1000 x75140     FAX: +1 (508) 497-8500
> > black_david@emc.com       Mobile: +1 (978) 394-7754
> > ---------------------------------------------------
> >