SNIA-SDC23-DeSanti-NVMe -over-Fabrics-Security-Update_0.pdf

1、1|2023 SNIA.2023 Dell Technologies.All Rights Reserved.Virtual ConferenceSeptember 28-29,2021NVMe over Fabrics Security UpdateClaudio DeSantiDistinguished EngineerDell Technologies CTIO Group2|2023 SNIA.2023 Dell Technologies.All Rights Reserved.AgendaSAN Security FrameworkNVMe/TCP with TLSTP 8018:U

2、pdates to NVMe/TCP with TLS PSK Scope Confusion TLS Concatenation use of Opportunistic TLSTP 8025:Usage Configuration of NVMe/TCP Security3|2023 SNIA.2023 Dell Technologies.All Rights Reserved.SAN Security Framework4|2023 SNIA.2023 Dell Technologies.All Rights Reserved.Storage Area Network(SAN)Examp

3、leHostsStorageSubsystem5|2023 SNIA.2023 Dell Technologies.All Rights Reserved.Security Threat 1:Access Control 1)Uncontrolled Storage Access Countermeasure:Storage Access Control NVMe namespaces mapping NVMe-oF Zoning Does not prevent impersonation16|2023 SNIA.2023 Dell Technologies.All Rights Reser

4、ved.Security Threat 2:Impersonation 2)Impersonation(Spoofing)Countermeasure:Authentication Proof of identity27|2023 SNIA.2023 Dell Technologies.All Rights Reserved.Security Threat 3:Communication Access3)Communication Access Eavesdrop Inject/Modify Countermeasure:Secure Channel(data in flight)Confid

5、entiality Cryptographic Integrity38|2023 SNIA.2023 Dell Technologies.All Rights Reserved.SAN Security MechanismsiSCSIFibre ChannelNVMe over Fabrics/IPStorage Endpoint AuthenticationCHAP(strong secret)SRP(weak secret,e.g.,password)not used in practiceDH-CHAP(strong secret)FCPAP(weak secret,e.g.,passw

6、ord)FCAP(certificates)FC-EAP(strong secret)DH-HMAC-CHAP(strong secret)-Defined in TP 8006-Now in Base Spec.rev 2.0Centralized Authentication VerificationRADIUS(CHAP-only,obsolete)RADIUS(DH-CHAP-only,obsolete)Authentication Verification Entity(AVE)-Defined in TP 8019Secure Channel(authenticated encry