SORT BY:

LIST ORDER
THREAD
AUTHOR
SUBJECT


SEARCH

IPS HOME


    [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

    RE: iSCSI: IPsec tunnel / transport mode decision



    I actually would prefer if we didn't say anything other than a statement
    saying "Here is a policy that will cover IPS traffic" from there it is up to
    compliant IPsec implementations to utilize this policy...
    
    Being that the WG feels that just specifying a coverage policy is adequate,
    but must get into specifying portions of the IPsec functionality, I would
    prefer Tunnel mode, because as far as I can tell, no one has shown a
    functional e-e transport mode implementation in the wild...
    
    Can anyone point to one ?
    
    Bill
    +========+=========+=========+=========+=========+=========+=========+
    Bill Strahm     Software Development is a race between Programmers
    Member of the   trying to build bigger and better idiot proof software
    Technical Staff and the Universe trying to produce bigger and better
    bill@sanera.net idiots.
    (503) 601-0263  So far the Universe is winning --- Rich Cook
    
    
    -----Original Message-----
    From: Ofer Biran [mailto:BIRAN@il.ibm.com]
    Sent: Tuesday, November 06, 2001 11:53 AM
    To: Bill Strahm
    Cc: saqibj@margallacomm.com; ips@ece.cmu.edu
    Subject: RE: iSCSI: IPsec tunnel / transport mode decision
    
    
    Bill,
    
    I agree that you can make external devices that support transport mode,
    but it seems that most of those existing today do not support it.
    
    Anyway for our required decision... you also said you prefer tunnel mode,
    right ?
    
      Regards,
        Ofer
    
    
    
    Ofer Biran
    Storage and Systems Technology
    IBM Research Lab in Haifa
    biran@il.ibm.com  972-4-8296253
    
    
    "Bill Strahm" <bill@Sanera.net> on 04/11/2001 21:39:22
    
    Please respond to "Bill Strahm" <bill@Sanera.net>
    
    To:   Ofer Biran/Haifa/IBM@IBMIL, <saqibj@margallacomm.com>
    cc:   <ips@ece.cmu.edu>
    Subject:  RE: iSCSI: IPsec tunnel / transport mode decision
    
    
    
    Ok,
    
    How does mandatory Transport mode remove the possibility of external
    IPsec...
    
    I have said before I can make IPsec transport & tunnel mode work in
    external
    devices, just like you can do SSL/TLS accelerators both internally and
    externally
    
    Bill
    
    -----Original Message-----
    From: owner-ips@ece.cmu.edu [mailto:owner-ips@ece.cmu.edu]On Behalf Of
    Ofer Biran
    Sent: Sunday, November 04, 2001 4:27 AM
    To: saqibj@margallacomm.com
    Cc: ips@ece.cmu.edu
    Subject: RE: iSCSI: IPsec tunnel / transport mode decision
    
    
    Saqib,
    
    Mandatory transport mode would make bundling of external IPSec
    impossible, while tunnel mode is not more difficult to implement
    within the iSCSI endpoint than transport mode.
    
    "Cost of ownership and complexity of deploying a stand-alone
    IPsec gateway" might be among the considerations of vendors and
    customers, but I don't think the standard should block such
    solutions (and  it blocks more than just stand-alone IPsec
    gateway).
    
      Regards,
       Ofer
    
    
    Ofer Biran
    Storage and Systems Technology
    IBM Research Lab in Haifa
    biran@il.ibm.com  972-4-8296253
    
    
    "Saqib Jang" <saqibj@margallacomm.com> on 02/11/2001 20:59:03
    
    Please respond to <saqibj@margallacomm.com>
    
    To:   "Bill Strahm" <bill@sanera.net>, "CAVANNA,VICENTE V
          (A-Roseville,ex1)" <vince_cavanna@agilent.com>
    cc:   "SHEEHY,DAVE (A-Americas,unix1)" <dave_sheehy@agilent.com>, Ofer
          Biran/Haifa/IBM@IBMIL, <ips@ece.cmu.edu>
    Subject:  RE: iSCSI: IPsec tunnel / transport mode decision
    
    
    
    What about the cost of ownership and complexity of deploying
    a stand-alone IPsec gateway for use with IPsec end-points?
    If transport-mode IPsec is a must-to-implement capability in
    iSCSI end-points there is an opportunity to have much
    more coherent security for iSCSI.
    
    Saqib
    
    
    
    
    
    
    


Home

Last updated: Wed Nov 07 13:17:38 2001
7616 messages in chronological order