RE: IPsec Usage Question

["Ofer Biran" <BIRAN@il.ibm.com>]

Paul,

I only meant that the 2-site tunnel scenario has nothing to do with the
IPsec protection mandated to be implemented (yes, implemented,
not used) by iSCSI.  So I would not use this scenario at all to conclude
about iSCSI security requirements (outer=inner etc.).

  Regards,
      Ofer


Ofer Biran
Storage and Systems Technology
IBM Research Lab in Haifa
biran@il.ibm.com  972-4-8296253


Paul Koning <ni1d@arrl.net>@ece.cmu.edu on 05/02/2002 18:52:28

Sent by:  owner-ips@ece.cmu.edu


To:   Ofer Biran/Haifa/IBM@IBMIL
cc:   Black_David@emc.com, marjorie_krueger@hp.com, ips@ece.cmu.edu
Subject:  RE: IPsec Usage Question



Excerpt of message (sent 5 February 2002) by Ofer Biran:
>
> Paul,
>
> >This example MUST work.  So you cannot require inner == outer
> >address, because that translates into saying that IP Storage cannot be
> >protected by a site to site IPsec tunnel.
>
> This is not Kansas any more... The iSCSI devices on both sites (assuming
> that's their only IPsec protection) are not iSCSI compliant. This
> definitely
> doesn't cover the IPsec protection mandated by iSCSI.

No, you're mistaken.

I said nothing about what the iSCSI devices IMPLEMENT.  I only talked
about what was IN USE by the customer.  In the example, the customer
chose to USE a different security mechanism for reasons of cost,
convenience, site policy, or whatever.

Remember that the proposed requirement is "required to implement" and
NOT "required to use".

My interpretation of having "use" be optional is that you also have
the option of securing your traffic via other means.

Am I right?  Or is it the intent of the WG to say that no other
security mechanisms are allowed -- if you want security you MUST use
the one that is mandated in iSCSI nodes?  If so, for what reason?

    paul