|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: iSCSI: IPsec tunnel / transport mode decisionFunny because RFC 2401 says (Section 4.1) " In summary, a) A host MUST support both transport and tunnel mode. b) A security gateway is required to support only tunnel mode. If it supports transport mode, that should be used only when the security gateway is acting as a host, e.g., for network management. " I am assuming that at least one end of the iSCSI implementation is a Host (if not both ends) and therefore will have a conformant IPsec implementation... Now the question is where do we want to allow security endpoints to be. If we want to allow only host-host security (and the requisite policy nightmares) then Transport Mode will work. However if we want to allow Tunneling between hosts and security gateways, then Tunnel mode will need to be used. In reality I think we should stick with the 2401 requirements, that way I don't have to write my own implementation... I have not seen a call of consensus on this issue, have you issued it David ? Bill +========+=========+=========+=========+=========+=========+=========+ Bill Strahm Software Development is a race between Programmers Member of the trying to build bigger and better idiot proof software Technical Staff and the Universe trying to produce bigger and better bill@sanera.net idiots. (503) 601-0263 So far the Universe is winning --- Rich Cook -----Original Message----- From: owner-ips@ece.cmu.edu [mailto:owner-ips@ece.cmu.edu]On Behalf Of Saqib Jang Sent: Thursday, November 01, 2001 10:03 AM To: Ofer Biran; ips@ece.cmu.edu Subject: RE: iSCSI: IPsec tunnel / transport mode decision I thought the latest security draft already closed on this issue. >From Section 2.3 of -04 draft. iSCSI security implementations MUST support ESP in transport mode. Saqib -----Original Message----- From: owner-ips@ece.cmu.edu [mailto:owner-ips@ece.cmu.edu]On Behalf Of Ofer Biran Sent: Thursday, November 01, 2001 4:31 AM To: ips@ece.cmu.edu Subject: iSCSI: IPsec tunnel / transport mode decision I'd like to drive this open issue into group consensus. It seems to me that the tendency was more toward making tunnel mode a MUST as iFCP and FCIP did, mainly due the option of integrating an existing IPsec chip/box with the iSCSI implementation offering. If we reach this decision, we may choose even not to mention transport mode (as MAY or some other recommending text). There is an excellent analysis made by Bernard Aboba in Section "5.1. Transport mode versus tunnel mode" of draft-ietf-ips-security-04 ( http://www.ietf.org/internet-drafts/draft-ietf-ips-security-04.txt ) that can help us with this decision (also Section "5.2. NAT traversal" is relevant). Regards, Ofer Ofer Biran Storage and Systems Technology IBM Research Lab in Haifa biran@il.ibm.com 972-4-8296253
Home Last updated: Thu Nov 01 16:17:35 2001 7520 messages in chronological order |