RE: Edited Minutes of the 1/29/02 IPS Security Conference call

[Black_David@emc.com]

Answering a private question to the list due to general
interest:

> When would an initiators IPsec implementation would be
> an IPsec gateway one (or is there a scenario where
> an initiator would be acting as an IPsec gateway?)

When it functions as a security gateway as defined by
RFC 2401.  The IP Storage specifications would not set down
any rules for determining this - there would be a reference
to RFC 2401 and implementers would make their own
determinations.

In general, if there's a private network link
(physical or virtual) over which packets are forwarded
between the IPsec implementation and the IP Storage
implementation (e.g., iSCSI Initiator), then the IPsec
implementation is most probably a security gateway.
This need not always be the case (e.g., in the presence
of sufficient architectural "cleverness"), and there are
other situations in which the IPsec implementation may be
a security gateway even in the absence of such a private
link. Also, please note that Transport mode is not
forbidden for security gateways, it is just not required.

To understand this topic, there is really no substitute for
the relevant portions of RFC 2401 - I would recommend that
anyone who is interested in this topic read RFC 2401 from
its beginning through at least the end of Section 4.3.

Thanks,
--David
---------------------------------------------------
David L. Black, Senior Technologist
EMC Corporation, 42 South St., Hopkinton, MA  01748
+1 (508) 249-6449 *NEW*      FAX: +1 (508) 497-8500
black_david@emc.com         Cell: +1 (978) 394-7754
---------------------------------------------------