|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: iSCSI: IPsec tunnel / transport mode decisionI actually would prefer if we didn't say anything other than a statement saying "Here is a policy that will cover IPS traffic" from there it is up to compliant IPsec implementations to utilize this policy... Being that the WG feels that just specifying a coverage policy is adequate, but must get into specifying portions of the IPsec functionality, I would prefer Tunnel mode, because as far as I can tell, no one has shown a functional e-e transport mode implementation in the wild... Can anyone point to one ? Bill +========+=========+=========+=========+=========+=========+=========+ Bill Strahm Software Development is a race between Programmers Member of the trying to build bigger and better idiot proof software Technical Staff and the Universe trying to produce bigger and better bill@sanera.net idiots. (503) 601-0263 So far the Universe is winning --- Rich Cook -----Original Message----- From: Ofer Biran [mailto:BIRAN@il.ibm.com] Sent: Tuesday, November 06, 2001 11:53 AM To: Bill Strahm Cc: saqibj@margallacomm.com; ips@ece.cmu.edu Subject: RE: iSCSI: IPsec tunnel / transport mode decision Bill, I agree that you can make external devices that support transport mode, but it seems that most of those existing today do not support it. Anyway for our required decision... you also said you prefer tunnel mode, right ? Regards, Ofer Ofer Biran Storage and Systems Technology IBM Research Lab in Haifa biran@il.ibm.com 972-4-8296253 "Bill Strahm" <bill@Sanera.net> on 04/11/2001 21:39:22 Please respond to "Bill Strahm" <bill@Sanera.net> To: Ofer Biran/Haifa/IBM@IBMIL, <saqibj@margallacomm.com> cc: <ips@ece.cmu.edu> Subject: RE: iSCSI: IPsec tunnel / transport mode decision Ok, How does mandatory Transport mode remove the possibility of external IPsec... I have said before I can make IPsec transport & tunnel mode work in external devices, just like you can do SSL/TLS accelerators both internally and externally Bill -----Original Message----- From: owner-ips@ece.cmu.edu [mailto:owner-ips@ece.cmu.edu]On Behalf Of Ofer Biran Sent: Sunday, November 04, 2001 4:27 AM To: saqibj@margallacomm.com Cc: ips@ece.cmu.edu Subject: RE: iSCSI: IPsec tunnel / transport mode decision Saqib, Mandatory transport mode would make bundling of external IPSec impossible, while tunnel mode is not more difficult to implement within the iSCSI endpoint than transport mode. "Cost of ownership and complexity of deploying a stand-alone IPsec gateway" might be among the considerations of vendors and customers, but I don't think the standard should block such solutions (and it blocks more than just stand-alone IPsec gateway). Regards, Ofer Ofer Biran Storage and Systems Technology IBM Research Lab in Haifa biran@il.ibm.com 972-4-8296253 "Saqib Jang" <saqibj@margallacomm.com> on 02/11/2001 20:59:03 Please respond to <saqibj@margallacomm.com> To: "Bill Strahm" <bill@sanera.net>, "CAVANNA,VICENTE V (A-Roseville,ex1)" <vince_cavanna@agilent.com> cc: "SHEEHY,DAVE (A-Americas,unix1)" <dave_sheehy@agilent.com>, Ofer Biran/Haifa/IBM@IBMIL, <ips@ece.cmu.edu> Subject: RE: iSCSI: IPsec tunnel / transport mode decision What about the cost of ownership and complexity of deploying a stand-alone IPsec gateway for use with IPsec end-points? If transport-mode IPsec is a must-to-implement capability in iSCSI end-points there is an opportunity to have much more coherent security for iSCSI. Saqib
Home Last updated: Wed Nov 07 13:17:38 2001 7616 messages in chronological order |