|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: iSCSI Security: Environment and Requirements> Are iSCSI HBAs considered "gateways" in IPsec terminilogy? Per > RFC 2401, only "gateways" can support only tunnel-mode IPsec, whereas > "hosts' are required to support both tunnel and transport mode IPsec. Not exactly. The current path is to pick out an appropriate subset of IPsec -- if we were to require IPsec starting with RFC 2401, we'd wind up requiring a lot of stuff (AH, ESP, IKE, ISAKMP, DES, etc.). Not only is this far more than is necessary, but it also requires things that have little current justification (e.g., AH and DES). In any case, the whole point of this paragraph is that one should not to make inferences about iSCSI based on requirements in IPsec RFCs as the current plan is to require an IPsec subset. The specific answer to your question is that an iSCSI HBA is a "host" as far as IPsec is concerned, however, here are rationales I've heard for only requiring tunnel mode: (1) Only one IPsec mode (transport or tunnel) is needed for a protocol like iSCSI. (2) Tunnel mode has better NAT transparency because the encapsulated IP and TCP checksums work in tunnel mode (they fail in transport mode). See draft-ietf-ipsec-nat-reqts-00.txt for more details. (3) Tunnel mode would allow the use of external gateways, transport mode would not. Thanks, --David --------------------------------------------------- David L. Black, Senior Technologist EMC Corporation, 42 South St., Hopkinton, MA 01748 +1 (508) 435-1000 x75140 FAX: +1 (508) 497-8500 black_david@emc.com Mobile: +1 (978) 394-7754 ---------------------------------------------------
Home Last updated: Tue Sep 04 01:04:20 2001 6315 messages in chronological order |