SORT BY:

LIST ORDER
THREAD
AUTHOR
SUBJECT


SEARCH

IPS HOME


    [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

    RE: iSCSI Security: Environment and Requirements



    > Are iSCSI HBAs considered "gateways" in IPsec terminilogy? Per
    > RFC 2401, only "gateways" can support only tunnel-mode IPsec, whereas
    > "hosts' are required to support both tunnel and transport mode IPsec.
    
    Not exactly.  The current path is to pick out an
    appropriate subset of IPsec -- if we were to require
    IPsec starting with RFC 2401, we'd wind up requiring 
    a lot of stuff (AH, ESP, IKE, ISAKMP, DES, etc.).  Not
    only is this far more than is necessary, but it also
    requires things that have little current justification
    (e.g., AH and DES).  In any case, the whole point of this
    paragraph is that one should not to make inferences about
    iSCSI based on requirements in IPsec RFCs as the current
    plan is to require an IPsec subset. 
    
    The specific answer to your question is that an iSCSI
    HBA is a "host" as far as IPsec is concerned, however,
    here are rationales I've heard for only requiring tunnel mode:
    
    (1) Only one IPsec mode (transport or tunnel) is needed
    	 for a protocol like iSCSI.
    (2) Tunnel mode has better NAT transparency because the
    	encapsulated IP and TCP checksums work in tunnel mode
    	(they fail in transport mode).  See
    	draft-ietf-ipsec-nat-reqts-00.txt for more details.
    (3) Tunnel mode would allow the use of external gateways,
    	transport mode would not.
    
    Thanks,
    --David
    
    ---------------------------------------------------
    David L. Black, Senior Technologist
    EMC Corporation, 42 South St., Hopkinton, MA  01748
    +1 (508) 435-1000 x75140     FAX: +1 (508) 497-8500
    black_david@emc.com       Mobile: +1 (978) 394-7754
    ---------------------------------------------------
    
    
    
    


Home

Last updated: Tue Sep 04 01:04:20 2001
6315 messages in chronological order