|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: IPsec Usage QuestionPaul, I only meant that the 2-site tunnel scenario has nothing to do with the IPsec protection mandated to be implemented (yes, implemented, not used) by iSCSI. So I would not use this scenario at all to conclude about iSCSI security requirements (outer=inner etc.). Regards, Ofer Ofer Biran Storage and Systems Technology IBM Research Lab in Haifa biran@il.ibm.com 972-4-8296253 Paul Koning <ni1d@arrl.net>@ece.cmu.edu on 05/02/2002 18:52:28 Sent by: owner-ips@ece.cmu.edu To: Ofer Biran/Haifa/IBM@IBMIL cc: Black_David@emc.com, marjorie_krueger@hp.com, ips@ece.cmu.edu Subject: RE: IPsec Usage Question Excerpt of message (sent 5 February 2002) by Ofer Biran: > > Paul, > > >This example MUST work. So you cannot require inner == outer > >address, because that translates into saying that IP Storage cannot be > >protected by a site to site IPsec tunnel. > > This is not Kansas any more... The iSCSI devices on both sites (assuming > that's their only IPsec protection) are not iSCSI compliant. This > definitely > doesn't cover the IPsec protection mandated by iSCSI. No, you're mistaken. I said nothing about what the iSCSI devices IMPLEMENT. I only talked about what was IN USE by the customer. In the example, the customer chose to USE a different security mechanism for reasons of cost, convenience, site policy, or whatever. Remember that the proposed requirement is "required to implement" and NOT "required to use". My interpretation of having "use" be optional is that you also have the option of securing your traffic via other means. Am I right? Or is it the intent of the WG to say that no other security mechanisms are allowed -- if you want security you MUST use the one that is mandated in iSCSI nodes? If so, for what reason? paul
Home Last updated: Tue Feb 05 17:17:55 2002 8654 messages in chronological order |