RE: iSCSI: IPsec tunnel / transport mode decision

["Ofer Biran" <BIRAN@il.ibm.com>]

No, this issue never got rough consensus. The statement was
put there just to provoke the discussion. And before the thread
of the security draft official positioning is awaken - an effort
will be made s.t. it will not include any normative text that
doesn't match the protocols standards normative text.

   Ofer

Ofer Biran
Storage and Systems Technology
IBM Research Lab in Haifa
biran@il.ibm.com  972-4-8296253


"Saqib Jang" <saqibj@margallacomm.com> on 01/11/2001 19:03:29

Please respond to <saqibj@margallacomm.com>

To:   Ofer Biran/Haifa/IBM@IBMIL, <ips@ece.cmu.edu>
cc:
Subject:  RE: iSCSI: IPsec tunnel / transport mode decision



I thought the latest security draft already closed
on this issue.

From Section 2.3 of -04 draft.
iSCSI security implementations MUST support ESP in transport mode.

Saqib

-----Original Message-----
From: owner-ips@ece.cmu.edu [mailto:owner-ips@ece.cmu.edu]On Behalf Of
Ofer Biran
Sent: Thursday, November 01, 2001 4:31 AM
To: ips@ece.cmu.edu
Subject: iSCSI: IPsec tunnel / transport mode decision


I'd like to drive this open issue into group consensus. It seems to
me that the tendency was more toward making tunnel mode a MUST as iFCP
and FCIP did, mainly due the option of integrating an existing IPsec
chip/box with the iSCSI implementation offering. If we reach this decision,
we may choose even not to mention transport mode (as MAY or some other
recommending text).

There is an excellent analysis made by Bernard Aboba in Section
"5.1. Transport mode versus tunnel mode" of draft-ietf-ips-security-04
( http://www.ietf.org/internet-drafts/draft-ietf-ips-security-04.txt )
that can help us with this decision (also Section "5.2. NAT traversal" is
relevant).

   Regards,
     Ofer

Ofer Biran
Storage and Systems Technology
IBM Research Lab in Haifa
biran@il.ibm.com  972-4-8296253