RE: Storage over Ethernet/IP

At 18:02 29-05-00 , Dawson, Peter D wrote: >is vulnerability and threat analysis part of the >standardization process ?? YES (shouting intentional). The "Security Considerations" section of every RFC ought to contain vulnerability, threat analysis, risk mitigation, and residual risk information.

RE: Storage over Ethernet/IP

> is vulnerability and threat analysis part of the standardization > process ?? RFCs 2251-2256, which specify LDAPv3, carry a stern warning up front that that these documents lack a standard mandatory-to-implement strong authentication method, hence limiting the applicability of the protocol (ho

RE: Storage over Ethernet/IP

At 17:02 29.05.2000 +, Dawson, Peter D wrote: >is vulnerability and threat analysis part of the >standardization process ?? Yes. RFC 2223, "Instructions to RFC authors", section 9. See also RFC 2316, "Report from the IAB security workshop", section 9, which gives further guidance.

RE: Storage over Ethernet/IP

Peter - for the last few years the IESG has required IETF working groups to have meaningful Security Considerations sections in standards track RFCs - these must include a threat and security analysis Scott

Re: Storage over Ethernet/IP

> is vulnerability and threat analysis part of the > standardization process ?? yes.

RE: Storage over Ethernet/IP

->-Original Message- ->From: Steven M. Bellovin [mailto:[EMAIL PROTECTED]] ->Sent: Monday, May 29, 2000 1:56 PM ->To: Dawson, Peter D ->Cc: [EMAIL PROTECTED] ->Subject: Re: Storage over Ethernet/IP -> -> ->In message -><[EMAIL PROTECT

Re: Storage over Ethernet/IP

In message <[EMAIL PROTECTED]>, "Dawson, Peter D" writes: > > >->-Original Message- >->From: Harald Tveit Alvestrand [mailto:[EMAIL PROTECTED]] >->Sent: Friday, May 26, 2000 6:27 PM >->To: [EMAIL PROTECTED] >->Cc: [EMAIL PROTECTED] >

RE: Storage over Ethernet/IP

->-Original Message- ->From: Harald Tveit Alvestrand [mailto:[EMAIL PROTECTED]] ->Sent: Friday, May 26, 2000 6:27 PM ->To: [EMAIL PROTECTED] ->Cc: [EMAIL PROTECTED] ->Subject: RE: Storage over Ethernet/IP ->The point being made, remade and made again here is:

Re: Storage over Ethernet/IP

In message , Brian.Rubarts@born .com writes: > >>> Encryption will be offloaded to the network interface. ASICs on the NICs >>> will greatly improve encryption and authentication performance. > >>all well and good, provided that this encryption and

RE: Storage over Ethernet/IP

At 10:14 26.05.2000 -0500, [EMAIL PROTECTED] wrote: >True, but whether the server accesses the disks via SCSI over TCP or SCSI >over Fibre Channel, the SERVER is still the weak link. The transport >protocol doesn't create any inherent weaknesses of the type you are >refering to--e-mail borne vi

Re: Storage over Ethernet/IP

>If your OS is hardened enough, a firewall may not be appropriate. > >"New from Kellogs - Firewalls cereal - part of this *COMPLETE* and *BALANCED* >security breakfast". Given the recent revelations about Gauntlet, perhaps firewalls aren't quite the invincible bastions of unassailability they ap

Re: Storage over Ethernet/IP

> There were some papers published duing the late '80's or early '90s by > John Romkey and I belive Dave Clark and Van Jacobson about the length of > instruction sequences to handle TCP. I'm not sure that those ever became > RFCs. > > Those papers came up with figures indicating that if one str

Re: Storage over Ethernet/IP

> I AM saying that if you have Internet access to your network, a firewall is > extremely important. and you're wrong. a firewall is just a tool for reducing the difficulty of your threat analysis. it doesn't inherently make your network more secure. what makes your network secure (to the ex

Re: Storage over Ethernet/IP

> But, should a good technology be nixed because some idiots might mis-use it? no. but an Internet protocol for accessing storage devices needs to be able to operate in the Internet. Keith p.s. You might as well ask "is an insecure technology for accessing storage devices a good thing, given

RE: Storage over Ethernet/IP

> Yeah, okay. I will grant that. But, should a good technology be nixed > because some idiots might mis-use it? I personally don't think so. This thread started with a question about a TCP technology report, and wandered into firewall and general security technologies. Which is the good techn

Re: Storage over Ethernet/IP

> > Encryption will be offloaded to the network interface. ASICs on the NICs > > will greatly improve encryption and authentication performance. > all well and good, provided that this encryption and authentication > are actually compatible with that specified by higher level protocols > and the

RE: Storage over Ethernet/IP

>IPv6 has NO authentication capability not already shipping for IPv4, >speaking as the person who designed both AH and ESP. Marketing aside, >there is nothing in IPv6 that makes it more easily secured than IPv4. >Both support AH and ESP. Deployed ISAKMP/IKE support IPv4, but might >not support I

RE: Storage over Ethernet/IP

>Experience tells us that although we can design and specify for >"intra-nets", people will insist on using the results over the public >internet. Pretending this will not happen is akin to burying ones head in >the beach sand when one has heard a report of a large wave heading for the >beach

RE: Storage over Ethernet/IP

>Odd.. I thought we had a clue about security. The guys at SANS just >gave us a 'Technology Leadership Award'. I just walked across the hallway, >and I didn't see any firewall in our router swamp. >I guess because we don't have a firewall, we don't have a clue. Or because >we don't have a firew

RE: Storage over Ethernet/IP

At 15:40 26-05-00 , [EMAIL PROTECTED] wrote: >It will run over incredibly fast Packet over SONET Wide Area >Networks--behind firewalls. OC-192 and soon-to-come OC-768 (terrabit) >switches will be the backbone of WANs and MANs of large networks in a few >years. I'll note that at least on

Re: Storage over Ethernet/IP

On Fri, 26 May 2000 10:14:03 CDT, [EMAIL PROTECTED] said: > A network server will still authenticate user requests. Only the host > needs to be authenticated with the disk/disks. Hmm. Isn't this security model the cause of most grumbling regarding NFS security? > If the larger network that i

Re: Storage over Ethernet/IP

> >> It won't run over the Internet because of latencies inherent on the > >> public network. > > >at least for some storage applications, latency is not as important > >as bandwidth. e.g. you can do backups over a high-latency medium > >as long as your bandwidth is adequate (though recovery fr

Re: Storage over Ethernet/IP

> a. TCP is too CPU intensive and creates too much latency for storage I/O operations. > > b. The IP stack is too top heavy and processing packet headers is too > slow to support storage I/O operations. There were some papers published duing the late '80's or early '90s by John Romkey and I

RE: Storage over Ethernet/IP

>> Encryption will be offloaded to the network interface. ASICs on the NICs >> will greatly improve encryption and authentication performance. >all well and good, provided that this encryption and authentication >are actually compatible with that specified by higher level protocols >and the aut

Re: Storage over Ethernet/IP

> Encryption will be offloaded to the network interface. ASICs on the NICs > will greatly improve encryption and authentication performance. all well and good, provided that this encryption and authentication are actually compatible with that specified by higher level protocols and the authentic

RE: Storage over Ethernet/IP

ssage- From: Keith Moore [mailto:[EMAIL PROTECTED]] Sent: Friday, May 26, 2000 9:23 AM To: Jon William Toigo Cc: [EMAIL PROTECTED] Subject: Re: Storage over Ethernet/IP None of the cited limitations of TCP performance are true. they are also missing the point. If you're going to run storage a

Re: IETF mailing list question on Storage over Ethernet/IP

1911 > > > > -Original Message----- > > From: Dave Nagle [mailto:[EMAIL PROTECTED]] > > Sent: Thursday, May 25, 2000 4:29 PM > > To: SCSI-over-TCP List > > Subject: IETF mailing list question on Storage over Ethernet/IP > > > > > > > >

Re: Storage over Ethernet/IP

None of the cited limitations of TCP performance are true. they are also missing the point. If you're going to run storage access over IP then you are potentially allowing it to be run over the global Internet. If you do that you need good authentication and privacy, and (if you try to do them i

IETF mailing list question on Storage over Ethernet/IP

: [EMAIL PROTECTED] tel: +1 916 785 4578 fax: +1 916 785 1911 > -Original Message- > From: Dave Nagle [mailto:[EMAIL PROTECTED]] > Sent: Thursday, May 25, 2000 4:29 PM > To: SCSI-over-TCP List > Subject: IETF mailing list question on Storage over Ethernet/IP > > >

"HAAGENS,RANDY (HP-Roseville,ex1)": RE: IETF mailing list question on Storage over Ethernet/IP

AGENS,RANDY (HP-Roseville,ex1)" <[EMAIL PROTECTED]> To: "'Dave Nagle'" <[EMAIL PROTECTED]> cc: "Scsi-Tcp (E-mail)" <[EMAIL PROTECTED]> Subject: RE: IETF mailing list question on Storage over Ethernet/IP Comments - 1. I agree with you

RE: Storage over Ethernet/IP

I too have heard these arguments. When I heard them I felt a sense of deja vu -- anyone remember when the conventional wisdom was that "voice will never run over IP?" In fact, most of the assertions below are fallacies or soon will become fallacies. The only real argument is about the exac

Re: Storage over Ethernet/IP

On Thu, 25 May 2000 20:08:50 EDT, Jon William Toigo <[EMAIL PROTECTED]> said: > Put another way, when I design an aircraft, I know about lift, drag and > other engineering parameters and can plug them into calculations that will > enable me to design a wing to lift X number of pounds. When it co

Re: Storage over Ethernet/IP

At 22:52 25-05-00 , Jon William Toigo wrote: >c. The maximum throughput of a GE TCP/IP connection is 768 Mps, which is >too slow to support storage I/O operations. Provably false. In fact TCP throughput above 768 Mbps over 1518-byte GE has been demonstrated publicly in the past in several dif

Re: Storage over Ethernet/IP

sage - From: Dave Nagle <[EMAIL PROTECTED]> To: Jon William Toigo <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Thursday, May 25, 2000 7:27 PM Subject: Re: Storage over Ethernet/IP > Jon, > > Original Message > > >> I am seeking a few

Re: Storage over Ethernet/IP

Jon, Original Message >> I am seeking a few points of clarification: >> >> 1. Fibre Channel folks have attempted to explain to me why TCP/IP could = >> NEVER be a viable interconnect for block level storage operations. They = >> claim: >> a. TCP is too CPU intensive and

Re: Storage over Ethernet/IP

On Thu, 25 May 2000, Jon William Toigo wrote: > I am seeking a few points of clarification: > > 1. Fibre Channel folks have attempted to explain to me why TCP/IP > could NEVER be a viable interconnect for block level storage > operations. They claim: > > a. TCP is too CPU intensive and creat

Storage over Ethernet/IP

I am seeking a few points of clarification:   1.  Fibre Channel folks have attempted to explain to me why TCP/IP could NEVER be a viable interconnect for block level storage operations.  They claim:   a.  TCP is too CPU intensive and creates too much latency for storage I/O operations.   b.