SORT BY:

LIST ORDER
THREAD
AUTHOR
SUBJECT


SEARCH

IPS HOME


    [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

    RE: IPsec Usage Question



    
    Paul,
    
    I only meant that the 2-site tunnel scenario has nothing to do with the
    IPsec protection mandated to be implemented (yes, implemented,
    not used) by iSCSI.  So I would not use this scenario at all to conclude
    about iSCSI security requirements (outer=inner etc.).
    
      Regards,
          Ofer
    
    
    Ofer Biran
    Storage and Systems Technology
    IBM Research Lab in Haifa
    biran@il.ibm.com  972-4-8296253
    
    
    Paul Koning <ni1d@arrl.net>@ece.cmu.edu on 05/02/2002 18:52:28
    
    Sent by:  owner-ips@ece.cmu.edu
    
    
    To:   Ofer Biran/Haifa/IBM@IBMIL
    cc:   Black_David@emc.com, marjorie_krueger@hp.com, ips@ece.cmu.edu
    Subject:  RE: IPsec Usage Question
    
    
    
    Excerpt of message (sent 5 February 2002) by Ofer Biran:
    >
    > Paul,
    >
    > >This example MUST work.  So you cannot require inner == outer
    > >address, because that translates into saying that IP Storage cannot be
    > >protected by a site to site IPsec tunnel.
    >
    > This is not Kansas any more... The iSCSI devices on both sites (assuming
    > that's their only IPsec protection) are not iSCSI compliant. This
    > definitely
    > doesn't cover the IPsec protection mandated by iSCSI.
    
    No, you're mistaken.
    
    I said nothing about what the iSCSI devices IMPLEMENT.  I only talked
    about what was IN USE by the customer.  In the example, the customer
    chose to USE a different security mechanism for reasons of cost,
    convenience, site policy, or whatever.
    
    Remember that the proposed requirement is "required to implement" and
    NOT "required to use".
    
    My interpretation of having "use" be optional is that you also have
    the option of securing your traffic via other means.
    
    Am I right?  Or is it the intent of the WG to say that no other
    security mechanisms are allowed -- if you want security you MUST use
    the one that is mandated in iSCSI nodes?  If so, for what reason?
    
        paul
    
    
    
    
    


Home

Last updated: Tue Feb 05 17:17:55 2002
8654 messages in chronological order