RE: iSCSI: IPsec tunnel / transport mode decision

To: Bill Strahm <bill@sanera.net>, Ofer Biran <BIRAN@il.ibm.com>, ips@ece.cmu.edu
Subject: RE: iSCSI: IPsec tunnel / transport mode decision
From: Sukanta ganguly <sganguly@yahoo.com>
Date: Fri, 9 Nov 2001 16:18:35 -0800 (PST)
Content-Type: text/plain; charset=us-ascii
In-Reply-To: <HDECJFNIFJBIAINDCFOMMEGPCDAA.bill@sanera.net>
Sender: owner-ips@ece.cmu.edu

Bill,
I was very clear in my email. Let me put this is
simple words. I was expecting a MAY for IPSec and a
MAY for TLS. A MUST for IPSec i.e. 2401 rules out
everything. Seems like IPSec has already been decided
already. 

SG


--- Bill Strahm <bill@Sanera.net> wrote:
> I don't understand what you are really asking for...
> Do you want both Transport & Tunnel mode to be a MAY
> ?
> Do you want the option to not have either ?
> Do you expect to run Transport mode ESP through a
> Tunnel Mode ESP transform
> ?
> Do you expect to run another security protocol (for
> example TLS) ?
> 
> I think we should just say, we require (a MUST) a
> 2401 IPsec implementation
> (and all the other random IPsec RFCs as well) (This
> answers the first three
> questions above)
> 
> I think we should allow TLS rather than IPsec (this
> has lost a long time in
> the WG, so I am pretty much just giving up) (answers
> the 4th question)
> 
> Bill
> -----Original Message-----
> From: owner-ips@ece.cmu.edu
> [mailto:owner-ips@ece.cmu.edu]On Behalf Of
> Sukanta ganguly
> Sent: Friday, November 09, 2001 11:07 AM
> To: Ofer Biran; ips@ece.cmu.edu
> Subject: RE: iSCSI: IPsec tunnel / transport mode
> decision
> 
> 
> By doing this we are forcing IPSec. No flexibility
> of
> going transport over tunnel. I think we were still
> having a discussion of whether transport can also be
> supported and hence instead of forcing with IPSec
> can't we allow both mechanisms to a MAY.
> 
> In that scenario one could opt for transport mode
> with
> tunnel and still have a good implementation running.
> What do other think?
> 
> SG
> 
> --- Ofer Biran <BIRAN@il.ibm.com> wrote:
> >
> > It seems that most people prefer tunnel over
> > transport mode
> > and there is no real opposition for choosing
> tunnel
> > mode as
> > the MUST. In view of that we intend to add it in
> > version 09
> > in the following iSCSI statements:
> >
> > In Section 10.3.1 Data Integrity and
> Authentication
> > :
> >
> > "An iSCSI compliant initiator or target MUST
> provide
> > data
> > integrity and authentication by implementing IPSec
> > [RFC2401]
> > with ESP in tunnel mode [RFC2406] with the
> > following..."
> >
> > And in Section 10.3.2 Confidentiality :
> >
> > "An iSCSI compliant initiator or target MUST
> provide
> > confidentiality by implementing IPSec [RFC2401]
> with
> > ESP in tunnel mode [RFC2406] with the
> following..."
> >
> > Any objection ?
> >
> >   Regards,
> >     Ofer
> >
> >
> > Ofer Biran
> > Storage and Systems Technology
> > IBM Research Lab in Haifa
> > biran@il.ibm.com  972-4-8296253
> >
> >
> > "Saqib Jang" <saqibj@margallacomm.com> on
> 01/11/2001
> > 20:03:29
> >
> > Please respond to <saqibj@margallacomm.com>
> >
> > To:   Ofer Biran/Haifa/IBM@IBMIL,
> <ips@ece.cmu.edu>
> > cc:
> > Subject:  RE: iSCSI: IPsec tunnel / transport mode
> > decision
> >
> >
> >
> >
> > -----Original Message-----
> > From: owner-ips@ece.cmu.edu
> > [mailto:owner-ips@ece.cmu.edu]On Behalf Of
> > Ofer Biran
> > Sent: Thursday, November 01, 2001 4:31 AM
> > To: ips@ece.cmu.edu
> > Subject: iSCSI: IPsec tunnel / transport mode
> > decision
> >
> >
> > I'd like to drive this open issue into group
> > consensus. It seems to
> > me that the tendency was more toward making tunnel
> > mode a MUST as iFCP
> > and FCIP did, mainly due the option of integrating
> > an existing IPsec
> > chip/box with the iSCSI implementation offering.
> If
> > we reach this decision,
> > we may choose even not to mention transport mode
> (as
> > MAY or some other
> > recommending text).
> >
> > There is an excellent analysis made by Bernard
> Aboba
> > in Section
> > "5.1. Transport mode versus tunnel mode" of
> > draft-ietf-ips-security-04
> > (
> >
>
http://www.ietf.org/internet-drafts/draft-ietf-ips-security-04.txt
> > )
> > that can help us with this decision (also Section
> > "5.2. NAT traversal" is
> > relevant).
> >
> >    Regards,
> >      Ofer
> >
> > Ofer Biran
> > Storage and Systems Technology
> > IBM Research Lab in Haifa
> > biran@il.ibm.com  972-4-8296253
> >
> >
> >
> >
> 
> 
> __________________________________________________
> Do You Yahoo!?
> Find a job, post your resume.
> http://careers.yahoo.com
> 


__________________________________________________
Do You Yahoo!?
Find a job, post your resume.
http://careers.yahoo.com

References:
- RE: iSCSI: IPsec tunnel / transport mode decision
  - From: "Bill Strahm" <bill@sanera.net>

Prev by Date: RE: iSCSI: Clarification (again) for Task Management Commands
Next by Date: iSCSI:Negotiating a maximum SCSI data phase
Prev by thread: RE: iSCSI: IPsec tunnel / transport mode decision
Next by thread: RE: iSCSI: IPsec tunnel / transport mode decision
Index(es):
- Date
- Thread

Home

Last updated: Sat Nov 10 11:17:45 2001
7740 messages in chronological order