|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: IPsec Usage QuestionAddendum to my previous note about tunnels and IPsec gateways, because the examples I gave don't make the issue clear. The issue is: given how security gateways are used, is the inner address == outer address restriction acceptable? Consider a situation where a set of initiators are protected by a (separate) IPsec gateway. There are plenty of reasons for using that setup: (1) lower cost than per-HBA high speed crypto, (2) centralized security management is easier, (3) centralized security management is required by organization policy, (n) etc. On the other hand, the target is an iSCSI node whose built-in IPsec is used. (Perhaps it's managed separately; perhaps since there is only one node is it considered more sensible not to stick an IPsec gateway in front of it.) Let's assume that node doesn't need a separate outer IPsec address. In that setting, the I->T packets will have innerDA == outerDA and innerSA != outerSA, while the T->I packets will have innerSA == outerSA and innerDA != outerDA. Note also that in this scenario it doesn't matter to the initiators whether the target uses inner == outer. The initiators talk to the inner address of the target; only the IPsec gateway needs to know that that traffic goes into the tunnel to the target, and what the outer address for the tunnel is. (And that has to be IPsec management, not IPS management, since the IPsec gateway doesn't participate in any IPS mechanisms.) So in summary: since it's not acceptable to rule out the use of separate IPsec security gateways at one end of an IPS connection, it follows that you must allow inner != outer address. paul
Home Last updated: Tue Feb 05 00:18:02 2002 8629 messages in chronological order |