SORT BY:

LIST ORDER
THREAD
AUTHOR
SUBJECT


SEARCH

IPS HOME


    [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

    RE: iSCSI: IPsec tunnel / transport mode decision



    
    Howard,
    
    In my opinion we only need a MUST on one mode and algorithm
    to ensure interoperability. This doesn't rule out implementation
    and use of transport mode. I don't think putting a MAY is necessary -
    the only reason for MAY (RFC2119) is forcing each side to expect that
    the other side might offer this option. Transport mode offering is
    well defined in the IKE negotiation and the responder chooses the
    desired SA, a one which it supports of course, or denies. So I think
    we have an implicit MAY for transport mode and any other (and future)
    algorithm by the IKE negotiation and by not saying MUST NOT or
    SHOULD NOT use.
    
      Regards,
        Ofer
    
    
    Ofer Biran
    Storage and Systems Technology
    IBM Research Lab in Haifa
    biran@il.ibm.com  972-4-8296253
    
    
    "Herbert, Howard C" <howard.c.herbert@intel.com> on 09/11/2001 22:24:43
    
    Please respond to "Herbert, Howard C" <howard.c.herbert@intel.com>
    
    To:   Ofer Biran/Haifa/IBM@IBMIL, ips@ece.cmu.edu
    cc:
    Subject:  RE: iSCSI: IPsec tunnel / transport mode decision
    
    
    
    
    Does this mean that transport mode will be a "MAY" or a "SHOULD"?
    
    Howard
    
    -----Original Message-----
    From: Ofer Biran [mailto:BIRAN@il.ibm.com]
    Sent: Friday, November 09, 2001 10:54 AM
    To: ips@ece.cmu.edu
    Subject: RE: iSCSI: IPsec tunnel / transport mode decision
    
    
    
    It seems that most people prefer tunnel over transport mode
    and there is no real opposition for choosing tunnel mode as
    the MUST. In view of that we intend to add it in version 09
    in the following iSCSI statements:
    
    In Section 10.3.1 Data Integrity and Authentication :
    
    "An iSCSI compliant initiator or target MUST provide data
    integrity and authentication by implementing IPSec [RFC2401]
    with ESP in tunnel mode [RFC2406] with the following..."
    
    And in Section 10.3.2 Confidentiality :
    
    "An iSCSI compliant initiator or target MUST provide
    confidentiality by implementing IPSec [RFC2401] with
    ESP in tunnel mode [RFC2406] with the following..."
    
    Any objection ?
    
      Regards,
        Ofer
    
    
    Ofer Biran
    Storage and Systems Technology
    IBM Research Lab in Haifa
    biran@il.ibm.com  972-4-8296253
    
    
    "Saqib Jang" <saqibj@margallacomm.com> on 01/11/2001 20:03:29
    
    Please respond to <saqibj@margallacomm.com>
    
    To:   Ofer Biran/Haifa/IBM@IBMIL, <ips@ece.cmu.edu>
    cc:
    Subject:  RE: iSCSI: IPsec tunnel / transport mode decision
    
    
    
    
    -----Original Message-----
    From: owner-ips@ece.cmu.edu [mailto:owner-ips@ece.cmu.edu]On Behalf Of
    Ofer Biran
    Sent: Thursday, November 01, 2001 4:31 AM
    To: ips@ece.cmu.edu
    Subject: iSCSI: IPsec tunnel / transport mode decision
    
    
    I'd like to drive this open issue into group consensus. It seems to
    me that the tendency was more toward making tunnel mode a MUST as iFCP
    and FCIP did, mainly due the option of integrating an existing IPsec
    chip/box with the iSCSI implementation offering. If we reach this decision,
    we may choose even not to mention transport mode (as MAY or some other
    recommending text).
    
    There is an excellent analysis made by Bernard Aboba in Section
    "5.1. Transport mode versus tunnel mode" of draft-ietf-ips-security-04
    ( http://www.ietf.org/internet-drafts/draft-ietf-ips-security-04.txt )
    that can help us with this decision (also Section "5.2. NAT traversal" is
    relevant).
    
       Regards,
         Ofer
    
    Ofer Biran
    Storage and Systems Technology
    IBM Research Lab in Haifa
    biran@il.ibm.com  972-4-8296253
    
    
    
    
    
    
    


Home

Last updated: Sun Nov 11 15:17:46 2001
7744 messages in chronological order