|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: iSCSI: IPsec tunnel / transport mode decisionBill, I was very clear in my email. Let me put this is simple words. I was expecting a MAY for IPSec and a MAY for TLS. A MUST for IPSec i.e. 2401 rules out everything. Seems like IPSec has already been decided already. SG --- Bill Strahm <bill@Sanera.net> wrote: > I don't understand what you are really asking for... > Do you want both Transport & Tunnel mode to be a MAY > ? > Do you want the option to not have either ? > Do you expect to run Transport mode ESP through a > Tunnel Mode ESP transform > ? > Do you expect to run another security protocol (for > example TLS) ? > > I think we should just say, we require (a MUST) a > 2401 IPsec implementation > (and all the other random IPsec RFCs as well) (This > answers the first three > questions above) > > I think we should allow TLS rather than IPsec (this > has lost a long time in > the WG, so I am pretty much just giving up) (answers > the 4th question) > > Bill > -----Original Message----- > From: owner-ips@ece.cmu.edu > [mailto:owner-ips@ece.cmu.edu]On Behalf Of > Sukanta ganguly > Sent: Friday, November 09, 2001 11:07 AM > To: Ofer Biran; ips@ece.cmu.edu > Subject: RE: iSCSI: IPsec tunnel / transport mode > decision > > > By doing this we are forcing IPSec. No flexibility > of > going transport over tunnel. I think we were still > having a discussion of whether transport can also be > supported and hence instead of forcing with IPSec > can't we allow both mechanisms to a MAY. > > In that scenario one could opt for transport mode > with > tunnel and still have a good implementation running. > What do other think? > > SG > > --- Ofer Biran <BIRAN@il.ibm.com> wrote: > > > > It seems that most people prefer tunnel over > > transport mode > > and there is no real opposition for choosing > tunnel > > mode as > > the MUST. In view of that we intend to add it in > > version 09 > > in the following iSCSI statements: > > > > In Section 10.3.1 Data Integrity and > Authentication > > : > > > > "An iSCSI compliant initiator or target MUST > provide > > data > > integrity and authentication by implementing IPSec > > [RFC2401] > > with ESP in tunnel mode [RFC2406] with the > > following..." > > > > And in Section 10.3.2 Confidentiality : > > > > "An iSCSI compliant initiator or target MUST > provide > > confidentiality by implementing IPSec [RFC2401] > with > > ESP in tunnel mode [RFC2406] with the > following..." > > > > Any objection ? > > > > Regards, > > Ofer > > > > > > Ofer Biran > > Storage and Systems Technology > > IBM Research Lab in Haifa > > biran@il.ibm.com 972-4-8296253 > > > > > > "Saqib Jang" <saqibj@margallacomm.com> on > 01/11/2001 > > 20:03:29 > > > > Please respond to <saqibj@margallacomm.com> > > > > To: Ofer Biran/Haifa/IBM@IBMIL, > <ips@ece.cmu.edu> > > cc: > > Subject: RE: iSCSI: IPsec tunnel / transport mode > > decision > > > > > > > > > > -----Original Message----- > > From: owner-ips@ece.cmu.edu > > [mailto:owner-ips@ece.cmu.edu]On Behalf Of > > Ofer Biran > > Sent: Thursday, November 01, 2001 4:31 AM > > To: ips@ece.cmu.edu > > Subject: iSCSI: IPsec tunnel / transport mode > > decision > > > > > > I'd like to drive this open issue into group > > consensus. It seems to > > me that the tendency was more toward making tunnel > > mode a MUST as iFCP > > and FCIP did, mainly due the option of integrating > > an existing IPsec > > chip/box with the iSCSI implementation offering. > If > > we reach this decision, > > we may choose even not to mention transport mode > (as > > MAY or some other > > recommending text). > > > > There is an excellent analysis made by Bernard > Aboba > > in Section > > "5.1. Transport mode versus tunnel mode" of > > draft-ietf-ips-security-04 > > ( > > > http://www.ietf.org/internet-drafts/draft-ietf-ips-security-04.txt > > ) > > that can help us with this decision (also Section > > "5.2. NAT traversal" is > > relevant). > > > > Regards, > > Ofer > > > > Ofer Biran > > Storage and Systems Technology > > IBM Research Lab in Haifa > > biran@il.ibm.com 972-4-8296253 > > > > > > > > > > > __________________________________________________ > Do You Yahoo!? > Find a job, post your resume. > http://careers.yahoo.com > __________________________________________________ Do You Yahoo!? Find a job, post your resume. http://careers.yahoo.com
Home Last updated: Sat Nov 10 11:17:45 2001 7740 messages in chronological order |