Subject: Re: NetBSD iSCSI HOWTOs
To: Alistair Crooks <agc@pkgsrc.org>
From: Thor Lancelot Simon <tls@rek.tjls.com>
List: current-users
Date: 02/28/2006 07:58:21
On Tue, Feb 28, 2006 at 08:44:57AM +0000, Alistair Crooks wrote:
>
> In particular, iSCSI doesn't offer any security worth even mention of
> the word. You *have* to use IPsec or a VPN to transfer the iSCSI
> traffic. This is your data that you have to protect, and anyone who
> can gain access to your iSCSI target has access to *all* your data.
iSCSI people were very active in the IPsec working groups (in particular,
they were among the earliest to agitate for transforms with larger block
sizes, to allow static keying of ESP sessions that would transfer
gigabytes or even terabytes of data). I'm not sure what better solution
than IPsec one might expect to find, for this application, really.
The profusion of application-layer encryption and authentication solutions
needs to stop. Really, it needed to stop some time ago. When everyone
designs his own cryptographic protocol "to meet the needs of his
application" all you really get are dozens of similar protocols each with
its own design flaws and implementation bugs. I'm sure there are ways
in which the design of iSCSI could have paid more attention to security
but I for one am quite glad that it does not include yet another hand-
rolled cryptographic protocol. :-/
Thor