RE: iSCSI Security rough consensus

[Joshua Tseng <jtseng@NishanSystems.com>]

David,

<snip..snip>
> The upshot is that we need an end-to-end iSCSI
> authentication mechanism that authenticates the iSCSI
> entities - authenticating the IP endpoints isn't good enough.
> Given this, using that end-to-end authentication to key the 
> IP security (i.e., ESP) is natural, and significantly simpler
> as IKE cannot replace SRP in this context because IKE
> is not authenticating the iSCSI entities.  For the initial
> version of the draft, just requiring ESP would allow those
> who want to use IKE to key it to do so.  What becomes
> an RFC when will depend on how much progress gets
> made in various areas.

Just for clarification, SRP is only one of several
"end-to-end iSCSI authentication mechanisms" listed
in the -06 draft. Simple Public Key and Kerberosv5
are others.  These are endpoint authentications can
be conducted independently of IPSec (no keying of
IPSec).  Any of these, negotiated over an IKE-established
IP-endpoint-to-IP-endpoint IPSec SA, would provide the
needed security.  This is especially true if IPSec and
iSCSI are hosted on the same box, and if we discount
the possibility of an attacker opening up the chassis
and getting between IP and iSCSI/TCP in the stack.

I think if SRP were not used to key IPSec, then IKE
would be needed.  On the other hand, if IKE were available,
why would we need SRP to key IPSec?

Josh

> 
> I believe all of this is said or implied in the iSCSI requirements
> draft.
> 
> --David
> 
> ---------------------------------------------------
> David L. Black, Senior Technologist
> EMC Corporation, 42 South St., Hopkinton, MA  01748
> +1 (508) 435-1000 x75140     FAX: +1 (508) 497-8500
> black_david@emc.com       Mobile: +1 (978) 394-7754
> ---------------------------------------------------
>