|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: iSCSI: IPsec tunnel / transport mode decisionI don't understand what you are really asking for... Do you want both Transport & Tunnel mode to be a MAY ? Do you want the option to not have either ? Do you expect to run Transport mode ESP through a Tunnel Mode ESP transform ? Do you expect to run another security protocol (for example TLS) ? I think we should just say, we require (a MUST) a 2401 IPsec implementation (and all the other random IPsec RFCs as well) (This answers the first three questions above) I think we should allow TLS rather than IPsec (this has lost a long time in the WG, so I am pretty much just giving up) (answers the 4th question) Bill -----Original Message----- From: owner-ips@ece.cmu.edu [mailto:owner-ips@ece.cmu.edu]On Behalf Of Sukanta ganguly Sent: Friday, November 09, 2001 11:07 AM To: Ofer Biran; ips@ece.cmu.edu Subject: RE: iSCSI: IPsec tunnel / transport mode decision By doing this we are forcing IPSec. No flexibility of going transport over tunnel. I think we were still having a discussion of whether transport can also be supported and hence instead of forcing with IPSec can't we allow both mechanisms to a MAY. In that scenario one could opt for transport mode with tunnel and still have a good implementation running. What do other think? SG --- Ofer Biran <BIRAN@il.ibm.com> wrote: > > It seems that most people prefer tunnel over > transport mode > and there is no real opposition for choosing tunnel > mode as > the MUST. In view of that we intend to add it in > version 09 > in the following iSCSI statements: > > In Section 10.3.1 Data Integrity and Authentication > : > > "An iSCSI compliant initiator or target MUST provide > data > integrity and authentication by implementing IPSec > [RFC2401] > with ESP in tunnel mode [RFC2406] with the > following..." > > And in Section 10.3.2 Confidentiality : > > "An iSCSI compliant initiator or target MUST provide > confidentiality by implementing IPSec [RFC2401] with > ESP in tunnel mode [RFC2406] with the following..." > > Any objection ? > > Regards, > Ofer > > > Ofer Biran > Storage and Systems Technology > IBM Research Lab in Haifa > biran@il.ibm.com 972-4-8296253 > > > "Saqib Jang" <saqibj@margallacomm.com> on 01/11/2001 > 20:03:29 > > Please respond to <saqibj@margallacomm.com> > > To: Ofer Biran/Haifa/IBM@IBMIL, <ips@ece.cmu.edu> > cc: > Subject: RE: iSCSI: IPsec tunnel / transport mode > decision > > > > > -----Original Message----- > From: owner-ips@ece.cmu.edu > [mailto:owner-ips@ece.cmu.edu]On Behalf Of > Ofer Biran > Sent: Thursday, November 01, 2001 4:31 AM > To: ips@ece.cmu.edu > Subject: iSCSI: IPsec tunnel / transport mode > decision > > > I'd like to drive this open issue into group > consensus. It seems to > me that the tendency was more toward making tunnel > mode a MUST as iFCP > and FCIP did, mainly due the option of integrating > an existing IPsec > chip/box with the iSCSI implementation offering. If > we reach this decision, > we may choose even not to mention transport mode (as > MAY or some other > recommending text). > > There is an excellent analysis made by Bernard Aboba > in Section > "5.1. Transport mode versus tunnel mode" of > draft-ietf-ips-security-04 > ( > http://www.ietf.org/internet-drafts/draft-ietf-ips-security-04.txt > ) > that can help us with this decision (also Section > "5.2. NAT traversal" is > relevant). > > Regards, > Ofer > > Ofer Biran > Storage and Systems Technology > IBM Research Lab in Haifa > biran@il.ibm.com 972-4-8296253 > > > > __________________________________________________ Do You Yahoo!? Find a job, post your resume. http://careers.yahoo.com
Home Last updated: Sat Nov 10 11:17:45 2001 7740 messages in chronological order |