|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: Security Use RequirementsBernard, No the initiator port is different (the TCP connections are disjoint). However this brings with it another issue. Separate connections (even within the same session) can have different security - and this is not a useless feature e.g., a private link with a backup public link. In other environments you have links with similar needs. Does IPSec provide a replication mechanism for security contexts? Regards, Julo "Bernard Aboba" <aboba@internaut.com> on 09/02/2001 18:32:31 Please respond to "Bernard Aboba" <aboba@internaut.com> To: Black_David@emc.com, jtseng@NishanSystems.com cc: ips@ece.cmu.edu Subject: RE: Security Use Requirements >iSCSI envisions and allows multiple targets behind a single IP >address and TCP port. The targets are named (via WWUIs) in a >fashion that neither IPsec nor TLS can be expected to understand Let me make sure I understand this. You will have multiple SCSI authentications to the same target IP address and port. Does the initiator port vary between them or is that the same too? If the same initiator port is used, I think there will be a problem. How would the conversants know which IPSEC QM SA to use to send a particular transaction? On outbound, from the point of view of the IPSEC driver, it sees a packet come down with a given IP and transport header. Based on this information, it decides which IKE QM SA the packet belongs to, if any. So the driver has no notion of WWUIs, and needs to make its decision purely based on the IP and transport headers. If there isn't anything in there that is different between the QM SAs, the driver will pick one, but it might not be the right one.
Home Last updated: Tue Sep 04 01:05:32 2001 6315 messages in chronological order |