FCIP 11/21 Teleconference Minutes

To: <ips@ece.cmu.edu>
Subject: FCIP 11/21 Teleconference Minutes
From: "Murali Rajagopal" <muralir@lightsand.com>
Date: Mon, 26 Nov 2001 16:58:44 -0800
Content-Transfer-Encoding: 7bit
Content-Type: text/plain;charset="us-ascii"
Importance: Normal
Sender: owner-ips@ece.cmu.edu

Minutes submitted by Jim Nelson, Vixel Corp.

Agenda:

0. Roll Call/ Agenda  bashing : 10 Min

1. Ralph: Quick status update on the released drafts: 5 Min

2. NAPTs ( 30 Min)

3. Resync (20 Min)

4. Security: FCIP, SLP, FCIP MIB (30 Min)

5. SNMP Response Required via FCIP Entity IP address? (15 Min)

6. Next Meeting Agenda/ Host: 5 Min

Note: The actual meeting only lasted for an hour and items 1 and 3 in the
above  were not discusssed.

Roll Call

Jim Nelson - Vixel
Bill Krieg - Lucent
Dave Peterson - Cisco
Raj Bhagwat - Lightsand
Murali Rajagopal - Lightsand
Andy Helland - Lightsand
Bret Kethum - CNT
Milan Merhar - Pirus
Venkat - Rhapsody
Anil Rijhsinghani - McData
Bob Snively - Brocade

1. SNMP Response Required via FCIP Entity IP address?

 Dave Peterson - Not clear what to do with this issue in the SLP draft.
 Anil - Anything with an IP address implements a specific MIB.  FCIP MIB
should
 address the device, not just the entity.  It is similar to a 10/100
interface.

 Dave - Will leave the subject out of the SLP draft for the moment.

2.  Quick status update on the released drafts

 Ralph was not present.

 Venkat - When we added section 7 with the short frame, Some textual
changes are
 probably required in Annex D which currently only described non-Short
Frames.

3. Security: FCIP, SLP, FCIP MIB

 SLP - Dave - The current SLP draft is not consistent with the security
draft because
 the security draft requires IPSec whereas SLP does not.  At the moment
we have
 fundamental difference in approach.  No change for the moment.

FCIP MIB - Anil - FCIP MIB at the moment doesn't discuss security
relative to management traffic.  It is clear that IPSec could be used
for both authenticating and encrypting this information.  This is open
at present.  SNMPv3 addresses security, but does not require it.  Inband
access could be disabled.  It might be desirable to allow this, but not
require this.  Anil will coordinate with Mark Bakke relative to the
iSCSI MIB.

FCIP - Venkat - With the addition of the short frame it makes it easier
for an attacker to open a connection.  Thus there is more of a security
problem in the absence of IPSec. The main issue is the possibility of
unsecure joining
of multiple connections into a link.  There is no particular direct
protection for connections against false new connections.  Group
pre-shared keys are also a problem, because any member of the group can
initiate a TCP/IP
connection and potentially foul up a link.

One solution is to use IPSec, but prohibit group preshared keys.

Bob - Without IPSec, not protected if you don't have a policy
established. The security behavior is established by policies.  May or
may not choose to
require security.  If you don't have security it's because you choose
not to
have it including all parties that the entity is allowed to communicate
with.
Thus may refuse connections based on the policies.  If the policy is
security is
not required, in the presence of NAPTs, then is vulnerable.

4.  Neil Wanamaker will set up the meeting for next week.

--
Jim Nelson
Systems Architect
Vixel Corporation
Irvine, Ca 92618
jnelson@vixel.com
949-450-6159

Prev by Date: Comments on ips security draft
Next by Date: RE: Selectively exposing Porgal Groups to Initiators
Prev by thread: Re: Comments on ips security draft
Next by thread: iSCSI: Selectively exposing Porgal Groups to Initiators
Index(es):
- Date
- Thread

Home

Last updated: Fri Dec 07 22:17:49 2001
8015 messages in chronological order