Mark A. Carlson wrote: > > > ------------------------------------------------------------------------ > > Subject: > Re: iSCSI Software boot [PSARC/2007/450 FastTrack timeout 08/10/2007] > From: > Nicolas Williams <Nicolas.Williams at Sun.COM> > Date: > Fri, 03 Aug 2007 16:55:51 -0500 > To: > Mark Carlson <markcarl at sac.sfbay.sun.com> > > To: > Mark Carlson <markcarl at sac.sfbay.sun.com> > CC: > psarc-ext at sun.com, Davis at sac.sfbay.sun.com, Ken at sac.sfbay.sun.com > > > On Fri, Aug 03, 2007 at 02:41:08PM -0700, Mark Carlson wrote: > >> 2. The customers will be encouraged to use the first phase of this >> solution over physically secured networks. The next phase of the >> project will add CHAP authentication. >> > > CHAP will not be sufficient. iSCSI relies on IPsec for integrity and > confidentiality protection of data on the wire. > > I imagine that getting IKE up and running from a boot archive prior to > mounting / simply does not fit the current architecture, so I'll not > suggest that. But manually keying an SA that can be used until the boot > process can get IKE up seems like a reasonable approach. > > To do better than manual IPsec SA keying will require a more general > approach to security in the boot architecture as secure NFS w/ DH or > Kerberos V, and iSCSI with IPsec and PSK or PKI for IKE currently > require running quite a bit of code that currently only runs in > user-land. I suppose that's not-this-case... > > OC (off case): Implementing those things in kernel-land would be an > option, but it sounds like a lot of work. > > An alternative would be to support running a minimal set > of user-land processes (including daemons) from the boot > archive/miniroot (and with the archive/miniroot as /) and > restart them when the real / is available. > > Either way we could support booting securely with / on > NFS w/ RPCSEC_GSS or iSCSI w/ IPsec and non-manual SA > keying. > > In any case, the point is: iSCSI w/ CHAP is not enough to get beyond the > "physically secured networks" requirement. > > Nico > Nicolas,
I totally agree with you, I didn't mean to imply that CHAP authentication is going to solve security issue when we remove the restriction of physically secured networks. We have to devise a strategy around IPsec support for iSCSI boot in the next Phase of the project. Any input from you will certainly be helpful. Thanks, Sajid
