RE: iSCSI: IPsec tunnel / transport mode decision

To: <saqibj@margallacomm.com>, "Ofer Biran" <BIRAN@il.ibm.com>, <ips@ece.cmu.edu>
Subject: RE: iSCSI: IPsec tunnel / transport mode decision
From: "Bill Strahm" <bill@sanera.net>
Date: Thu, 1 Nov 2001 11:57:21 -0800
Content-Transfer-Encoding: 7bit
Content-Type: text/plain;charset="iso-8859-1"
Importance: Normal
In-Reply-To: <NDBBLPEJFLKHBNKPNJJPMEIDDCAA.saqibj@margallacomm.com>
Sender: owner-ips@ece.cmu.edu

Funny because RFC 2401 says (Section 4.1)
"
In summary,
           a) A host MUST support both transport and tunnel mode.
           b) A security gateway is required to support only tunnel
              mode.  If it supports transport mode, that should be used
              only when the security gateway is acting as a host, e.g.,
              for network management.
"

I am assuming that at least one end of the iSCSI implementation is a Host
(if not both ends) and therefore will have a conformant IPsec
implementation...

Now the question is where do we want to allow security endpoints to be.  If
we want to allow only host-host security (and the requisite policy
nightmares) then Transport Mode will work.  However if we want to allow
Tunneling between hosts and security gateways, then Tunnel mode will need to
be used.  In reality I think we should stick with the 2401 requirements,
that way I don't have to write my own implementation...

I have not seen a call of consensus on this issue, have you issued it David
?

Bill
+========+=========+=========+=========+=========+=========+=========+
Bill Strahm     Software Development is a race between Programmers
Member of the   trying to build bigger and better idiot proof software
Technical Staff and the Universe trying to produce bigger and better
bill@sanera.net idiots.
(503) 601-0263  So far the Universe is winning --- Rich Cook


-----Original Message-----
From: owner-ips@ece.cmu.edu [mailto:owner-ips@ece.cmu.edu]On Behalf Of
Saqib Jang
Sent: Thursday, November 01, 2001 10:03 AM
To: Ofer Biran; ips@ece.cmu.edu
Subject: RE: iSCSI: IPsec tunnel / transport mode decision


I thought the latest security draft already closed
on this issue.

>From Section 2.3 of -04 draft.
iSCSI security implementations MUST support ESP in transport mode.

Saqib

-----Original Message-----
From: owner-ips@ece.cmu.edu [mailto:owner-ips@ece.cmu.edu]On Behalf Of
Ofer Biran
Sent: Thursday, November 01, 2001 4:31 AM
To: ips@ece.cmu.edu
Subject: iSCSI: IPsec tunnel / transport mode decision


I'd like to drive this open issue into group consensus. It seems to
me that the tendency was more toward making tunnel mode a MUST as iFCP
and FCIP did, mainly due the option of integrating an existing IPsec
chip/box with the iSCSI implementation offering. If we reach this decision,
we may choose even not to mention transport mode (as MAY or some other
recommending text).

There is an excellent analysis made by Bernard Aboba in Section
"5.1. Transport mode versus tunnel mode" of draft-ietf-ips-security-04
( http://www.ietf.org/internet-drafts/draft-ietf-ips-security-04.txt )
that can help us with this decision (also Section "5.2. NAT traversal" is
relevant).

   Regards,
     Ofer

Ofer Biran
Storage and Systems Technology
IBM Research Lab in Haifa
biran@il.ibm.com  972-4-8296253

References:
- RE: iSCSI: IPsec tunnel / transport mode decision
  - From: "Saqib Jang" <saqibj@margallacomm.com>

Prev by Date: RE: iSCSI: IPsec tunnel / transport mode decision
Next by Date: Re: is TargetName always mandatory or not?
Prev by thread: RE: iSCSI: IPsec tunnel / transport mode decision
Next by thread: RE: iSCSI: IPsec tunnel / transport mode decision
Index(es):
- Date
- Thread

Home

Last updated: Thu Nov 01 16:17:35 2001
7520 messages in chronological order