iSCSI security clarifications

To: ips@ece.cmu.edu
Subject: iSCSI security clarifications
From: Black_David@emc.com
Date: Fri, 9 Nov 2001 22:13:34 -0500
Content-Type: text/plain;charset="iso-8859-1"
Sender: owner-ips@ece.cmu.edu

Gathering up a bunch of security topics/questions that
need to be addressed from the last few weeks of email.

-- SRP Intellectual Property

Yes, this situation is confusing and unclear.  It is
also evolving (e.g., the zero-cost Stanford license
is a recent development).  I will endeavor to obtain
clarity and explain it at the Salt Lake City meeting.
If clarity is not obtainable, it would be reasonable to
remove the "MUST" requirement for implementing SRP at
that time.

-- Substituting CHAP for SRP as the REQUIRED mechanism

Not a good idea.  Situations can be expected in which
IPsec is turned off by an administrator who relies on
authentication.  CHAP is considerably weaker than SRP
in this situation because (all too common) weak passwords
for CHAP are vulnerable to off-line dictionary attacks,
whereas SRP does not have this vulnerability.

-- IPsec requirements

A quick reminder that IPsec is "MUST implement" but
"MAY use" for all of our protocols.  Arguments that
start from assuming the use of IPsec could lead to
having to strengthen the "MAY use" requirement, and
this should be considered by folks making such
arguments.

We are subsetting IPsec (e.g., AH is NOT REQUIRED) for
all of our protocols.  While quoting requirements
from IPsec RFCs is illuminating and useful to understand
what was originally done in IPsec and why, those requirements
are not necessarily binding on us.  We do have to exercise
good engineering and security judgment in picking our
subset (e.g., leaving out AH is an example of doing so).
This approach of picking an appropriate subset of IPsec
does have the approval of the IETF Security area,
as long as we don't do anything obviously wrong.
One other specific example is that "MUST implement
DES" (as required by the current IPsec RFCs) will
only go into IPS WG documents over my dead body ;-).

-- TLS for iSCSI

Those interested in standardizing the use of TLS for
iSCSI should write and submit an Internet-Draft.

Thanks,
--David

---------------------------------------------------
David L. Black, Senior Technologist
EMC Corporation, 42 South St., Hopkinton, MA  01748
+1 (508) 435-1000 x75140     FAX: +1 (508) 497-8500
black_david@emc.com       Mobile: +1 (978) 394-7754
---------------------------------------------------

Prev by Date: RE: FCencap: List ALL SOF/EOF codes
Next by Date: RE: iSCSI: Clarification (again) for Task Management Commands
Prev by thread: RE: FCIP: NAPTs Solution Proposal (issue from Irvine, CA Interim meeting)
Next by thread: iSCSI reserved bits and fields
Index(es):
- Date
- Thread

Home

Last updated: Mon Nov 19 17:17:36 2001
7856 messages in chronological order