RE: IPsec Usage Question

[Paul Koning <ni1d@arrl.net>]

Addendum to my previous note about tunnels and IPsec gateways, because
the examples I gave don't make the issue clear.

The issue is: given how security gateways are used, is the inner
address == outer address restriction acceptable?

Consider a situation where a set of initiators are protected by a
(separate) IPsec gateway.  There are plenty of reasons for using that
setup: (1) lower cost than per-HBA high speed crypto, (2) centralized
security management is easier, (3) centralized security management is
required by organization policy, (n) etc.  On the other hand, the
target is an iSCSI node whose built-in IPsec is used.  (Perhaps it's
managed separately; perhaps since there is only one node is it
considered more sensible not to stick an IPsec gateway in front of
it.)  Let's assume that node doesn't need a separate outer IPsec
address. 

In that setting, the I->T packets will have innerDA == outerDA and
innerSA != outerSA, while the T->I packets will have innerSA == outerSA 
and innerDA != outerDA.

Note also that in this scenario it doesn't matter to the initiators
whether the target uses inner == outer.  The initiators talk to the
inner address of the target; only the IPsec gateway needs to know that
that traffic goes into the tunnel to the target, and what the outer
address for the tunnel is.  (And that has to be IPsec management, not
IPS management, since the IPsec gateway doesn't participate in any IPS
mechanisms.)

So in summary: since it's not acceptable to rule out the use of
separate IPsec security gateways at one end of an IPS connection, it
follows that you must allow inner != outer address.

	paul