Re: iSCSI: security questions

To: "Lee Xing" <lxing@Crossroads.com>
Subject: Re: iSCSI: security questions
From: "Ofer Biran" <BIRAN@il.ibm.com>
Date: Wed, 14 Nov 2001 12:33:51 +0200
Cc: ips@ece.cmu.edu
Content-type: text/plain; charset=us-ascii
Importance: Normal
Sender: owner-ips@ece.cmu.edu


Lee,

================
Q1: iSCSI v.08, page 142 "The authentication method cannot assume an
underlying IPSec protection, since IPSec is optional to use."  IPSec is
an option for IPv4, but it's mandatory for IPv6 (if I remember right).
Should we make it more specific?

+ IPsec is mandatory to implement in IPV6 but not mandatory to use, the
+ policy can always be configured to plain processing.


Q2: iSCSI v.08 Chapter 10 (Security Consideration) mentions a few times
of "...MUST implement...".  Should we add something like "security is
mandatory to implement, but not mandatory to use" in this chapter?  This
is stated explicitly in SEC-IPS v.04 draft, and also implied in Chapter
5 (Login Phase) of iSCSI v.08.

+ I think that "MUST implement" is quite clear and standard RFC statement,
+ and you don't need "but optional to use" disclaimer each time it appears.


Q3:
SEC-IPS v.04, page 11 "Negotiation between Initiator and Target is used
to determine which authentication algorithm to use (or whether to use
one at all); the connection closes if either side requires
authentication and no mutually acceptable algorithm can be agreed upon"

The question is whether "none" is considered as an "acceptable
algorithm".  In other words, if initiator asks
"AuthMethod=KRB5,SRP,none" during login, and target answers
"AuthMethod=none", should the connection be closed, or should the
initiator continue with LoginOperationalNegotiation stage?  If latter is
acceptable, should we reword the last sentence like "...and no mutually
acceptable algorithm or "none" can be agreed upon"?

+ "if either side requires authentication" rules out your example,
+ because by suggesting "none" and choosing "none" no side required
+ authentication.


Q4:
SEC-IPS v.04, page32 "If IPsec protection is removed on a connection, it
MUST be reinstated before iSCSI, iFCP or FCIP packets are sent."  The
question is do we have to check security every time before sending out
iSCSI packets?

+ This statement is going to change as a result of the sync effort with
+ the security draft, at least it would become non-normative.


Regard,
   Ofer

Ofer Biran
Storage and Systems Technology
IBM Research Lab in Haifa
biran@il.ibm.com  972-4-8296253

Prev by Date: RE: Application for port-number (3260)
Next by Date: Re: SRP vs PKI for authentication
Prev by thread: iSCSI: security questions
Next by thread: RE: iSCSI: security questions
Index(es):
- Date
- Thread

Home

Last updated: Wed Nov 14 11:17:41 2001
7812 messages in chronological order