iSCSI: Last call comments

To: IPS <ips@ece.cmu.edu>
Subject: iSCSI: Last call comments
From: Mark Bakke <mbakke@cisco.com>
Date: Wed, 03 Jul 2002 16:47:42 -0500
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset=us-ascii
Sender: owner-ips@ece.cmu.edu


The iSCSI draft is looking pretty good.  I only have one last-call
comment left:

There are a few sections in iSCSI (and ips-security) that discuss
IPsec requirements for "compliant/conformant implementations".  I
recall that this meant a target implementation could either be a
single device with both iSCSI and IPsec, or a combination of two
devices, one that handles iSCSI; the other handling IPsec.  However,
I couldn't find anywhere in the spec that spells this out either
way, other than a hint at it in item [3] on page 31 of ips-security-13:

> [3]  IPsec is provided by a device external to the actual iSCSI device.
>      Here the iSCSI header and data CRCs can be kept across the part of
>      the connection that is not protected by IPsec. For instance, the
>      iSCSI connection could traverse an extra bus, interface card,
>      network, interface card, and bus between the iSCSI device and the
>      device providing IPsec. In this case, the iSCSI CRC is desirable,
>      and the iSCSI implementation behind the IPsec device may request
>      it.

As there are many cases where it makes a lot of sense to provide
the solution in two pieces (iSCSI in one or more devices, with one or
more IPsec front-end devices, I'd like to clarify this.

How about (somewhere in section 7) adding something like:

   An iSCSI compliant initiator or target may provide the required
   IPsec support either by itself, or in conjunction with an IPsec
   front-end device.

Any thoughts?

--
Mark


For reference, here are a few of the statements that would be
helped out by the above.

iscsi-14 Section 7.3.1:

   An iSCSI compliant initiator or target MUST provide data integrity 
   and authentication by implementing IPsec [RFC2401] with ESP [RFC2406] 
   in tunnel mode and MAY provide data integrity and authentication by 
   implementing IPsec with ESP in transport mode. The IPsec implementa-
   tion MUST fulfill the following iSCSI specific requirements:

iscsi-14 Section 7.3.2:

   An iSCSI compliant initiator or target MUST provide confidentiality 
   by implementing IPsec [RFC2401] with ESP [RFC2406] in tunnel mode and 
   MAY provide confidentiality by implementing IPsec with ESP in trans-
   port mode. with the following iSCSI specific requirements:

iscsi-14 Section 7.3.3:

     - Conformant iSCSI implementations MUST support IKE Main Mode 
           and SHOULD support Aggressive Mode. 

---
ips-security-13 Section 2.3.1:

All IP block storage security compliant implementations MUST support
IPsec ESP [RFC2406] to provide security for both control packets and
data packets, as well as the replay protection mechanisms of IPsec.
When ESP is utilized, per-packet data origin authentication, integrity
and replay protection MUST be used.


-- 
Mark A. Bakke
Cisco Systems
mbakke@cisco.com
763.398.1054

Prev by Date: RE: iSCSI: Login negotiation space
Next by Date: RE: iSCSI: Last call comments
Prev by thread: Re: iSCSI: SRP s vs. S
Next by thread: RE: iSCSI: Last call comments
Index(es):
- Date
- Thread

Home

Last updated: Wed Jul 03 18:18:54 2002
11106 messages in chronological order