SORT BY:

LIST ORDER
THREAD
AUTHOR
SUBJECT


SEARCH

IPS HOME


    [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

    RE: I-D ACTION:draft-ietf-ips-security-04.txt



    Have a couple of quick questions about the transport vs. tunnel mode;
    discussion in the firewall traversal section of the latest draft.
    The section reads:
    
         Firewall traversal. Where a storage protocol is to traverse
         administrative domains, the firewall administrator may desire to
         verify the integrity and authenticity of each transiting packet,
         rather than opening a hole in the firewall for the storage
         protocol. IPsec tunnel mode lends itself to such verification,
         since the firewall can terminate the tunnel mode connection while
         still allowing the endpoints to communicate end-to-end. If desired,
         the endpoints can in addition utilize IPsec transport mode for end-
         to-end security, so that they can also verify authenticity and
         integrity of each packet for themselves.
    
    My question is how important is the requirement for firewall adminstrators
    to "verify the integrity and authenticity of each transiting packet" if
    the iSCSI endpoints are using transport-mode IPsec/ESP (implying
    authentication
    and integrity checking) connections. Why would (in this case) opening a hole
    in the firewall to allow traversal of IPsec traffic not be sufficient? Also,
    are there potential latency issues that may arise if the firewall
    is terminating IPsec (vs. iSCSI end-points terminating IPsec). I see
    the emergence of IPsec acceleration in iSCSI end-points (vs. in
    general-purpose
    firewalls) to be a more like scenario.
    
    Saqib
    
    Saqib Jang
    Margalla Communications, Inc.
    3301 El Camino Real, Suite 220
    Atherton, CA 94027
    Ph: 650 298 8462
    Fax: 650 851 1613
    


Home

Last updated: Tue Nov 06 00:17:45 2001
7573 messages in chronological order