[Fwd: Re: iSCSI Software boot [PSARC/2007/450 FastTrack timeout 08/10/2007]]

Sajid Zia Sajid.Zia at sun.com
Fri Aug 3 16:09:10 PDT 2007 

Mark A. Carlson wrote:
>
>
> ------------------------------------------------------------------------
>
> Subject:
> Re: iSCSI Software boot [PSARC/2007/450 FastTrack timeout 08/10/2007]
> From:
> Nicolas Williams <Nicolas.Williams at Sun.COM>
> Date:
> Fri, 03 Aug 2007 16:55:51 -0500
> To:
> Mark Carlson <markcarl at sac.sfbay.sun.com>
>
> To:
> Mark Carlson <markcarl at sac.sfbay.sun.com>
> CC:
> psarc-ext at sun.com, Davis at sac.sfbay.sun.com, Ken at sac.sfbay.sun.com
>
>
> On Fri, Aug 03, 2007 at 02:41:08PM -0700, Mark Carlson wrote:
>   
>> 	2. The customers will be encouraged to use the first phase of this
>> 	   solution over physically secured networks. The next phase of the 
>>            project will add CHAP authentication.
>>     
>
> CHAP will not be sufficient.  iSCSI relies on IPsec for integrity and
> confidentiality protection of data on the wire.
>
> I imagine that getting IKE up and running from a boot archive prior to
> mounting / simply does not fit the current architecture, so I'll not
> suggest that.  But manually keying an SA that can be used until the boot
> process can get IKE up seems like a reasonable approach.
>
> To do better than manual IPsec SA keying will require a more general
> approach to security in the boot architecture as secure NFS w/ DH or
> Kerberos V, and iSCSI with IPsec and PSK or PKI for IKE currently
> require running quite a bit of code that currently only runs in
> user-land.  I suppose that's not-this-case...
>
> OC (off case): Implementing those things in kernel-land would be an
> 	       option, but it sounds like a lot of work.
>
> 	       An alternative would be to support running a minimal set
> 	       of user-land processes (including daemons) from the boot
> 	       archive/miniroot (and with the archive/miniroot as /) and
> 	       restart them when the real / is available.
>
> 	       Either way we could support booting securely with / on
> 	       NFS w/ RPCSEC_GSS or iSCSI w/ IPsec and non-manual SA
> 	       keying.
>
> In any case, the point is: iSCSI w/ CHAP is not enough to get beyond the
> "physically secured networks" requirement.
>
> Nico
>   
Nicolas,

I totally agree with you, I didn't mean to imply that CHAP 
authentication is going to solve security
issue when we  remove the restriction of physically secured networks.  
We have to devise a
strategy around IPsec support for iSCSI boot in the next Phase of the 
project. Any input from you
will certainly be helpful.

Thanks,

Sajid

More information about the opensolaris-arc mailing list