RE: IPsec Usage Question

To: Black_David@emc.com
Subject: RE: IPsec Usage Question
From: "KRUEGER,MARJORIE (HP-Roseville,ex1)" <marjorie_krueger@hp.com>
Date: Fri, 1 Feb 2002 16:28:04 -0800
Cc: ips@ece.cmu.edu
Content-Type: text/plain;charset="iso-8859-1"
Sender: owner-ips@ece.cmu.edu

I agree with Paul, the association of *any* internal network address to any
external mapping is  an IPSec configuration concern!  To state that another
way, that is a generic IPSec security gateway configuration detail.  I can't
speak for iSNS, but this information does *not* belong in the SendTargets
command or the iSCSI portion of SLP!  That very notion violates
architectural layering principals - iSCSI has no need to know about IPSec
headers which will be stripped off before the iSCSI processing layer
receives the packet.

It is true that security gateways in general have implications to the
accessability of *every* service behind that gateway.  But the solution does
not lie in sprinkling pieces of the IPSec configuration into all of those
service configuration mechanisms!  As Paul suggests, this should be handled
by the IPSec configuration management tools.

We've already agreed that sendTargets should contain only information
directly related to iSCSI configuration (knowledge within the iSCSI
"entity") - see this thread
http://www.pdl.cmu.edu/mailinglists/ips/mail/msg04944.html  Just say No! to
feature creep... :-)

Marjorie Krueger
Networked Storage Architecture
Networked Storage Solutions Org.
Hewlett-Packard
tel: +1 916 785 2656
fax: +1 916 785 0391
email: marjorie_krueger@hp.com 

> -----Original Message-----
> From: Paul Koning [mailto:ni1d@arrl.net]
> Sent: Friday, February 01, 2002 12:54 PM
> To: Black_David@emc.com
> Cc: ips@ece.cmu.edu
> Subject: RE: IPsec Usage Question
> 
> 
> Excerpt of message (sent 1 February 2002) by Black_David@emc.com:
> > Mandating the same addresses in the inner and outer header is a "big
> > hammer" that may not be the right course of action.  OTOH, if one
> > needs to know both the inner and outer IP addresses in 
> order to contact
> > a target, that has implications for the functionality/usage of Send
> > Targets, iSNS, and SLP.  My underlying goal is to figure out whether
> > we need to put support for two IP addresses per target into those
> > configuration mechanisms (this would apply to FCIP, iFCP, 
> and iSCSI).
> 
> Managing the mapping from the inner address to the outer address is
> a function of IPsec management -- that's the policy database which
> defines which host traffic is protected by what tunnel.
> 
> It's tempting to try to avoid IPsec management by addressing
> restrictions such as you mentioned here, but that does not help.
> There are about a dozen parameters for an IPsec SA, and you can't
> hardware all of them in the standard.  Trying to attack this by the
> restriction you proposed, even if feasible, only takes care of a
> fraction of the IPsec management you need.
> 
> I would think that IP Storage mechanisms such as Send Targets or iSNS
> should concern themselves with storage, not with other components like
> IPsec.  So yes, you need IPsec management (including tunnel
> addressing) but no, it's not the job of IP Storage mechanisms to
> administer those parameters.
> 
>      paul
>

Prev by Date: RE: IPsec Usage Question
Next by Date: RE: iSCSI: No Framing
Prev by thread: RE: IPsec Usage Question
Next by thread: RE: IPsec Usage Question
Index(es):
- Date
- Thread

Home

Last updated: Sat Feb 02 17:18:02 2002
8609 messages in chronological order