RE: iSCSI Security rough consensus

To: jtseng@NishanSystems.com, Black_David@emc.com, aboba@internaut.com, tytso@mit.edu
Subject: RE: iSCSI Security rough consensus
From: Black_David@emc.com
Date: Wed, 16 May 2001 02:44:38 -0400
Cc: ips@ece.cmu.edu
Content-Type: text/plain
Sender: owner-ips@ece.cmu.edu

> Just for clarification, SRP is only one of several
> "end-to-end iSCSI authentication mechanisms" listed
> in the -06 draft.

It's also the one that the interim meeting proposes to
make MANDATORY to implement.  Based on what we
can put in the iSCSI draft now, using IKE to key ESP
is acceptable.

> I think if SRP were not used to key IPSec, then IKE
> would be needed.

I don't believe that to be the case, although I'll defer to
others on exactly how pre-shared keys are used.

> On the other hand, if IKE were available,
> why would we need SRP to key IPSec?

I think this has been answered already.  SRP is end-to-end,
ensuring that any SA it keys is end to end.  ESP in tunnel
mode keyed by IKE need not be end-to-end because any
intermediate security gateways will have IKE.

--David

---------------------------------------------------
David L. Black, Senior Technologist
EMC Corporation, 42 South St., Hopkinton, MA  01748
+1 (508) 435-1000 x75140     FAX: +1 (508) 497-8500
black_david@emc.com       Mobile: +1 (978) 394-7754
---------------------------------------------------

Prev by Date: IPS WG meeting(s) update
Next by Date: RE: iSCSI Security rough consensus
Prev by thread: RE: iSCSI Security rough consensus
Next by thread: RE: iSCSI Security rough consensus
Index(es):
- Date
- Thread

Home

Last updated: Tue Sep 04 01:04:42 2001
6315 messages in chronological order