|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: I-D ACTION:draft-ietf-ips-security-04.txtHave a couple of quick questions about the transport vs. tunnel mode; discussion in the firewall traversal section of the latest draft. The section reads: Firewall traversal. Where a storage protocol is to traverse administrative domains, the firewall administrator may desire to verify the integrity and authenticity of each transiting packet, rather than opening a hole in the firewall for the storage protocol. IPsec tunnel mode lends itself to such verification, since the firewall can terminate the tunnel mode connection while still allowing the endpoints to communicate end-to-end. If desired, the endpoints can in addition utilize IPsec transport mode for end- to-end security, so that they can also verify authenticity and integrity of each packet for themselves. My question is how important is the requirement for firewall adminstrators to "verify the integrity and authenticity of each transiting packet" if the iSCSI endpoints are using transport-mode IPsec/ESP (implying authentication and integrity checking) connections. Why would (in this case) opening a hole in the firewall to allow traversal of IPsec traffic not be sufficient? Also, are there potential latency issues that may arise if the firewall is terminating IPsec (vs. iSCSI end-points terminating IPsec). I see the emergence of IPsec acceleration in iSCSI end-points (vs. in general-purpose firewalls) to be a more like scenario. Saqib Saqib Jang Margalla Communications, Inc. 3301 El Camino Real, Suite 220 Atherton, CA 94027 Ph: 650 298 8462 Fax: 650 851 1613
Home Last updated: Tue Nov 06 00:17:45 2001 7573 messages in chronological order |