[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Review of -10 security draft
At 12:30 PM 2/20/2002, Ernest Dainow wrote:
Can you confirm that draft 10
removes the requirement that every TCP
connection must have a separate IKE Phase 2 SA?
Some sections of the document seem to have been modified to reflect
but I did notice an exception, in Section 1.2 (iFCP) "Each IPsec
established by IKE protects a single TCP
Good catch. Sections 1.2, 4.2, and the iFCP document still need to absorb
this change in full. We will need an additional pass (10 for iFCP, and 11
for the security draft) to achieve full consistency across the
If this requirement
has in fact been removed, it needs to be removed from
the other draft documents, such as FCIP and iSCSI.
From: Joseph D. Harwood
Sent: Wednesday, February 20, 2002 11:02 AM
To: Bernard Aboba; Ernest.Dainow@mcdata.com
Subject: RE: Review of -10 security draft
> -----Original Message-----
> From: Bernard Aboba
> Sent: Tuesday, February 19, 2002 2:42 PM
> To: email@example.com; Ernest.Dainow@mcdata.com
> Cc: firstname.lastname@example.org
> Subject: Review of -10 security draft
> >How does requiring each connection to have its own Phase 2
> mitigate >the
> >vulnerability in this scenario?
> IPsec doesn't protect against this at all, and the text needs
> make this
> Please take a look at the latest -10 security draft in progress to
> this addresses the issue:
It does, thanks!
Joseph D. Harwood
Franco Travostino, Director Content Internetworking Lab
Nortel Networks, Inc.
600 Technology Park
Billerica, MA 01821 USA
Tel: 978 288 7708 Fax: 978 288 4690
Last updated: Wed Feb 20 18:18:00 2002
8816 messages in chronological order