On Fri, Aug 03, 2007 at 02:41:08PM -0700, Mark Carlson wrote:
> 2. The customers will be encouraged to use the first phase of this
> solution over physically secured networks. The next phase of the
> project will add CHAP authentication.
CHAP will not be sufficient. iSCSI relies on IPsec for integrity and
confidentiality protection of data on the wire.
I imagine that getting IKE up and running from a boot archive prior to
mounting / simply does not fit the current architecture, so I'll not
suggest that. But manually keying an SA that can be used until the boot
process can get IKE up seems like a reasonable approach.
To do better than manual IPsec SA keying will require a more general
approach to security in the boot architecture as secure NFS w/ DH or
Kerberos V, and iSCSI with IPsec and PSK or PKI for IKE currently
require running quite a bit of code that currently only runs in
user-land. I suppose that's not-this-case...
OC (off case): Implementing those things in kernel-land would be an
option, but it sounds like a lot of work.
An alternative would be to support running a minimal set
of user-land processes (including daemons) from the boot
archive/miniroot (and with the archive/miniroot as /) and
restart them when the real / is available.
Either way we could support booting securely with / on
NFS w/ RPCSEC_GSS or iSCSI w/ IPsec and non-manual SA
keying.
In any case, the point is: iSCSI w/ CHAP is not enough to get beyond the
"physically secured networks" requirement.
Nico
--
