|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: iSCSI: CONNECT message (was Naming/Discovery/URLs)> > Forgive my ignorance, but is there a reason why a tunneling protocol is not > > used to get past the NAT or Firewall? Why is there a gateway-in specific to > > only this protocol? > > It's actually my ignorance, Doug. I don't know of an applicable > tunneling protocol. > > The only widely deployed tunneling/proxy protocol I know of is > HTTP/FTP proxies. Deployment is definitely a problem. RSA -IP and RSAP-IP are nice solutions for NAT traversal (see RFC 2663), but they're not widely implemented; recommending them might be a good thing to do. If one wanted to solve both the firewall traversal and authentication problems in one go, an IPsec tunnel will do the job, at some implementation cost. A problem with both approaches that I don't believe is well solved at the moment is tunnel autoconfig. E.g., when host A wants to talk to host B, how does it know to ask gateway X (could be host A itself) to set up an what sort of tunnel to gateway Y (in front of host B)? This gets peculiar quickly when one or both of A and B are in private IP address space. Doug's earlier observation that B ought to have a public (i.e., globally routable) IP address is applicable here, but this situation is complicated by the presence of gateway policies about what sort of tunnels have to be set up to get traffic to B (i.e., even if A knows B's public IP address, A still has to know about Y and what sort of tunnels Y requires to talk to B). --David --------------------------------------------------- David L. Black, Senior Technologist EMC Corporation, 42 South St., Hopkinton, MA 01748 +1 (508) 435-1000 x75140 FAX: +1 (508) 497-8500 black_david@emc.com Mobile: +1 (978) 394-7754 ---------------------------------------------------
Home Last updated: Tue Sep 04 01:06:49 2001 6315 messages in chronological order |