RE: IPsec Usage Question

["Ofer Biran" <BIRAN@il.ibm.com>]

Paul,

"2-site tunnel scenario" is not exactly "2-tunnel scenario". It all
started with my response to your original scenario:

"Scenario: two sites, each with an IPsec gateway, and an IPsec tunnel
set up between the two sites.  All traffic between the two sites goes
through the tunnel.  (This is the classic IPsec based VPN scenario.)"

But then you resent anyway more suitable scenarios, so I don't think we
have any real disagreement.

   Regards,
      Ofer

Ofer Biran
Storage and Systems Technology
IBM Research Lab in Haifa
biran@il.ibm.com  972-4-8296253


Paul Koning <pkoning@equallogic.com> on 11/02/2002 16:34:05

To:   Ofer Biran/Haifa/IBM@IBMIL
cc:   ips@ece.cmu.edu
Subject:  RE: IPsec Usage Question



>>>>> "Ofer" == Ofer Biran <BIRAN@il.ibm.com> writes:

 Ofer> Paul,

 Ofer> I only meant that the 2-site tunnel scenario has nothing to do
 Ofer> with the IPsec protection mandated to be implemented (yes,
 Ofer> implemented, not used) by iSCSI.  So I would not use this
 Ofer> scenario at all to conclude about iSCSI security requirements
 Ofer> (outer=inner etc.).

What 2-tunnel scenario?

My scenario is a one-tunnel scenario, where one end of the tunnel
terminates an an iSCSI device and the other terminates at an IPsec
gateway.  That's a perfectly standard tunnel configuration.  In fact,
it's the most obvious example of why tunnel mode support (in addition
to transport mode) is required for IPsec hosts.

In that scenario, you can have inner==outer for one of the endpoint
addresses (the host) but not for the other.

Unless it is your goal to disallow IPsec gateways talking to iSCSI
devices, you have to support this configuration if you're going to
support IPsec at all.

     paul