SORT BY:

LIST ORDER
THREAD
AUTHOR
SUBJECT


SEARCH

IPS HOME


    [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

    RE: iSCSI: IPsec tunnel / transport mode decision



    By doing this we are forcing IPSec. No flexibility of
    going transport over tunnel. I think we were still
    having a discussion of whether transport can also be
    supported and hence instead of forcing with IPSec
    can't we allow both mechanisms to a MAY.
    
    In that scenario one could opt for transport mode with
    tunnel and still have a good implementation running.
    What do other think?
    
    SG
    
    --- Ofer Biran <BIRAN@il.ibm.com> wrote:
    > 
    > It seems that most people prefer tunnel over
    > transport mode
    > and there is no real opposition for choosing tunnel
    > mode as
    > the MUST. In view of that we intend to add it in
    > version 09
    > in the following iSCSI statements:
    > 
    > In Section 10.3.1 Data Integrity and Authentication
    > :
    > 
    > "An iSCSI compliant initiator or target MUST provide
    > data
    > integrity and authentication by implementing IPSec
    > [RFC2401]
    > with ESP in tunnel mode [RFC2406] with the
    > following..."
    > 
    > And in Section 10.3.2 Confidentiality :
    > 
    > "An iSCSI compliant initiator or target MUST provide
    > confidentiality by implementing IPSec [RFC2401] with
    > ESP in tunnel mode [RFC2406] with the following..."
    > 
    > Any objection ?
    > 
    >   Regards,
    >     Ofer
    > 
    > 
    > Ofer Biran
    > Storage and Systems Technology
    > IBM Research Lab in Haifa
    > biran@il.ibm.com  972-4-8296253
    > 
    > 
    > "Saqib Jang" <saqibj@margallacomm.com> on 01/11/2001
    > 20:03:29
    > 
    > Please respond to <saqibj@margallacomm.com>
    > 
    > To:   Ofer Biran/Haifa/IBM@IBMIL, <ips@ece.cmu.edu>
    > cc:
    > Subject:  RE: iSCSI: IPsec tunnel / transport mode
    > decision
    > 
    > 
    > 
    > 
    > -----Original Message-----
    > From: owner-ips@ece.cmu.edu
    > [mailto:owner-ips@ece.cmu.edu]On Behalf Of
    > Ofer Biran
    > Sent: Thursday, November 01, 2001 4:31 AM
    > To: ips@ece.cmu.edu
    > Subject: iSCSI: IPsec tunnel / transport mode
    > decision
    > 
    > 
    > I'd like to drive this open issue into group
    > consensus. It seems to
    > me that the tendency was more toward making tunnel
    > mode a MUST as iFCP
    > and FCIP did, mainly due the option of integrating
    > an existing IPsec
    > chip/box with the iSCSI implementation offering. If
    > we reach this decision,
    > we may choose even not to mention transport mode (as
    > MAY or some other
    > recommending text).
    > 
    > There is an excellent analysis made by Bernard Aboba
    > in Section
    > "5.1. Transport mode versus tunnel mode" of
    > draft-ietf-ips-security-04
    > (
    >
    http://www.ietf.org/internet-drafts/draft-ietf-ips-security-04.txt
    > )
    > that can help us with this decision (also Section
    > "5.2. NAT traversal" is
    > relevant).
    > 
    >    Regards,
    >      Ofer
    > 
    > Ofer Biran
    > Storage and Systems Technology
    > IBM Research Lab in Haifa
    > biran@il.ibm.com  972-4-8296253
    > 
    > 
    > 
    > 
    
    
    __________________________________________________
    Do You Yahoo!?
    Find a job, post your resume.
    http://careers.yahoo.com
    


Home

Last updated: Fri Nov 09 19:17:34 2001
7718 messages in chronological order