Subject: Re: NetBSD iSCSI HOWTOs
To: Alistair Crooks <firstname.lastname@example.org>
From: Steven M. Bellovin <email@example.com>
Date: 02/28/2006 08:32:08
I'd like more details on what you would have wanted. As Security AD at
the time, it was a fight to get in the security mechanisms they have --
there was strong sentiment that "this is only used within data centers;
why do we need crypto?"
Everyone would like finer-grained authentication; IPsec doesn't work
well that way. But iSCSI is a disk abstract, not a file system, and
granting access to hosts was the issue.
I glanced at the talk you pointed to. It looked to me much more like
complaints about Microsoft's implementation. While I don't remember
the details of 3270, I'd be *astonished* if the IESG -- including me --
would have approved a protocol where authentication was optional and
not turned on by default.
Some of that talk was dishonest. It spoke of eavesdropping and MITM
attacks. Of course, until the very end it omitted mention of IPsec.
That attack is, of course, why IPsec is in the spec.
Do you have a pointer to OSD? I'm not familiar with it? (I wasn't an
iSCSI proponent; I was the guy who forced them to add IPsec to the
--Steven M. Bellovin, http://www.cs.columbia.edu/~smb