RE: iSCSI: IPsec tunnel / transport mode decision

["Bill Strahm" <bill@sanera.net>]

Ok,

How does mandatory Transport mode remove the possibility of external
IPsec...

I have said before I can make IPsec transport & tunnel mode work in external
devices, just like you can do SSL/TLS accelerators both internally and
externally

Bill

-----Original Message-----
From: owner-ips@ece.cmu.edu [mailto:owner-ips@ece.cmu.edu]On Behalf Of
Ofer Biran
Sent: Sunday, November 04, 2001 4:27 AM
To: saqibj@margallacomm.com
Cc: ips@ece.cmu.edu
Subject: RE: iSCSI: IPsec tunnel / transport mode decision


Saqib,

Mandatory transport mode would make bundling of external IPSec
impossible, while tunnel mode is not more difficult to implement
within the iSCSI endpoint than transport mode.

"Cost of ownership and complexity of deploying a stand-alone
IPsec gateway" might be among the considerations of vendors and
customers, but I don't think the standard should block such
solutions (and  it blocks more than just stand-alone IPsec
gateway).

  Regards,
   Ofer


Ofer Biran
Storage and Systems Technology
IBM Research Lab in Haifa
biran@il.ibm.com  972-4-8296253


"Saqib Jang" <saqibj@margallacomm.com> on 02/11/2001 20:59:03

Please respond to <saqibj@margallacomm.com>

To:   "Bill Strahm" <bill@sanera.net>, "CAVANNA,VICENTE V
      (A-Roseville,ex1)" <vince_cavanna@agilent.com>
cc:   "SHEEHY,DAVE (A-Americas,unix1)" <dave_sheehy@agilent.com>, Ofer
      Biran/Haifa/IBM@IBMIL, <ips@ece.cmu.edu>
Subject:  RE: iSCSI: IPsec tunnel / transport mode decision



What about the cost of ownership and complexity of deploying
a stand-alone IPsec gateway for use with IPsec end-points?
If transport-mode IPsec is a must-to-implement capability in
iSCSI end-points there is an opportunity to have much
more coherent security for iSCSI.

Saqib