RE: iSCSI Security: Environment and Requirements

[Black_David@emc.com]

> Are iSCSI HBAs considered "gateways" in IPsec terminilogy? Per
> RFC 2401, only "gateways" can support only tunnel-mode IPsec, whereas
> "hosts' are required to support both tunnel and transport mode IPsec.

Not exactly.  The current path is to pick out an
appropriate subset of IPsec -- if we were to require
IPsec starting with RFC 2401, we'd wind up requiring 
a lot of stuff (AH, ESP, IKE, ISAKMP, DES, etc.).  Not
only is this far more than is necessary, but it also
requires things that have little current justification
(e.g., AH and DES).  In any case, the whole point of this
paragraph is that one should not to make inferences about
iSCSI based on requirements in IPsec RFCs as the current
plan is to require an IPsec subset. 

The specific answer to your question is that an iSCSI
HBA is a "host" as far as IPsec is concerned, however,
here are rationales I've heard for only requiring tunnel mode:

(1) Only one IPsec mode (transport or tunnel) is needed
	 for a protocol like iSCSI.
(2) Tunnel mode has better NAT transparency because the
	encapsulated IP and TCP checksums work in tunnel mode
	(they fail in transport mode).  See
	draft-ietf-ipsec-nat-reqts-00.txt for more details.
(3) Tunnel mode would allow the use of external gateways,
	transport mode would not.

Thanks,
--David

---------------------------------------------------
David L. Black, Senior Technologist
EMC Corporation, 42 South St., Hopkinton, MA  01748
+1 (508) 435-1000 x75140     FAX: +1 (508) 497-8500
black_david@emc.com       Mobile: +1 (978) 394-7754
---------------------------------------------------