SORT BY:

LIST ORDER
THREAD
AUTHOR
SUBJECT


SEARCH

IPS HOME


    [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

    RE: iSCSI: IPsec tunnel / transport mode decision



    Bill,
    I was very clear in my email. Let me put this is
    simple words. I was expecting a MAY for IPSec and a
    MAY for TLS. A MUST for IPSec i.e. 2401 rules out
    everything. Seems like IPSec has already been decided
    already. 
    
    SG
    
    
    --- Bill Strahm <bill@Sanera.net> wrote:
    > I don't understand what you are really asking for...
    > Do you want both Transport & Tunnel mode to be a MAY
    > ?
    > Do you want the option to not have either ?
    > Do you expect to run Transport mode ESP through a
    > Tunnel Mode ESP transform
    > ?
    > Do you expect to run another security protocol (for
    > example TLS) ?
    > 
    > I think we should just say, we require (a MUST) a
    > 2401 IPsec implementation
    > (and all the other random IPsec RFCs as well) (This
    > answers the first three
    > questions above)
    > 
    > I think we should allow TLS rather than IPsec (this
    > has lost a long time in
    > the WG, so I am pretty much just giving up) (answers
    > the 4th question)
    > 
    > Bill
    > -----Original Message-----
    > From: owner-ips@ece.cmu.edu
    > [mailto:owner-ips@ece.cmu.edu]On Behalf Of
    > Sukanta ganguly
    > Sent: Friday, November 09, 2001 11:07 AM
    > To: Ofer Biran; ips@ece.cmu.edu
    > Subject: RE: iSCSI: IPsec tunnel / transport mode
    > decision
    > 
    > 
    > By doing this we are forcing IPSec. No flexibility
    > of
    > going transport over tunnel. I think we were still
    > having a discussion of whether transport can also be
    > supported and hence instead of forcing with IPSec
    > can't we allow both mechanisms to a MAY.
    > 
    > In that scenario one could opt for transport mode
    > with
    > tunnel and still have a good implementation running.
    > What do other think?
    > 
    > SG
    > 
    > --- Ofer Biran <BIRAN@il.ibm.com> wrote:
    > >
    > > It seems that most people prefer tunnel over
    > > transport mode
    > > and there is no real opposition for choosing
    > tunnel
    > > mode as
    > > the MUST. In view of that we intend to add it in
    > > version 09
    > > in the following iSCSI statements:
    > >
    > > In Section 10.3.1 Data Integrity and
    > Authentication
    > > :
    > >
    > > "An iSCSI compliant initiator or target MUST
    > provide
    > > data
    > > integrity and authentication by implementing IPSec
    > > [RFC2401]
    > > with ESP in tunnel mode [RFC2406] with the
    > > following..."
    > >
    > > And in Section 10.3.2 Confidentiality :
    > >
    > > "An iSCSI compliant initiator or target MUST
    > provide
    > > confidentiality by implementing IPSec [RFC2401]
    > with
    > > ESP in tunnel mode [RFC2406] with the
    > following..."
    > >
    > > Any objection ?
    > >
    > >   Regards,
    > >     Ofer
    > >
    > >
    > > Ofer Biran
    > > Storage and Systems Technology
    > > IBM Research Lab in Haifa
    > > biran@il.ibm.com  972-4-8296253
    > >
    > >
    > > "Saqib Jang" <saqibj@margallacomm.com> on
    > 01/11/2001
    > > 20:03:29
    > >
    > > Please respond to <saqibj@margallacomm.com>
    > >
    > > To:   Ofer Biran/Haifa/IBM@IBMIL,
    > <ips@ece.cmu.edu>
    > > cc:
    > > Subject:  RE: iSCSI: IPsec tunnel / transport mode
    > > decision
    > >
    > >
    > >
    > >
    > > -----Original Message-----
    > > From: owner-ips@ece.cmu.edu
    > > [mailto:owner-ips@ece.cmu.edu]On Behalf Of
    > > Ofer Biran
    > > Sent: Thursday, November 01, 2001 4:31 AM
    > > To: ips@ece.cmu.edu
    > > Subject: iSCSI: IPsec tunnel / transport mode
    > > decision
    > >
    > >
    > > I'd like to drive this open issue into group
    > > consensus. It seems to
    > > me that the tendency was more toward making tunnel
    > > mode a MUST as iFCP
    > > and FCIP did, mainly due the option of integrating
    > > an existing IPsec
    > > chip/box with the iSCSI implementation offering.
    > If
    > > we reach this decision,
    > > we may choose even not to mention transport mode
    > (as
    > > MAY or some other
    > > recommending text).
    > >
    > > There is an excellent analysis made by Bernard
    > Aboba
    > > in Section
    > > "5.1. Transport mode versus tunnel mode" of
    > > draft-ietf-ips-security-04
    > > (
    > >
    >
    http://www.ietf.org/internet-drafts/draft-ietf-ips-security-04.txt
    > > )
    > > that can help us with this decision (also Section
    > > "5.2. NAT traversal" is
    > > relevant).
    > >
    > >    Regards,
    > >      Ofer
    > >
    > > Ofer Biran
    > > Storage and Systems Technology
    > > IBM Research Lab in Haifa
    > > biran@il.ibm.com  972-4-8296253
    > >
    > >
    > >
    > >
    > 
    > 
    > __________________________________________________
    > Do You Yahoo!?
    > Find a job, post your resume.
    > http://careers.yahoo.com
    > 
    
    
    __________________________________________________
    Do You Yahoo!?
    Find a job, post your resume.
    http://careers.yahoo.com
    


Home

Last updated: Sat Nov 10 11:17:45 2001
7740 messages in chronological order