|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: IPSEC target and transport modeSorry if this goes out twice, I think my mailer ate it the first time. On Tue, 26 Mar 2002 Black_David@emc.com wrote: > While I believe the current situation does represent rough consensus > of the WG, there was a visible minority in the meeting who dissented > from this decision, and essentially no time to discuss it. Hence, > this is an opportunity for those who would like to see the transport > mode requirement from Huntington Beach retained to explain why on the > list and see if they can convince the WG. The only available options > are (1) to drop all requirements for transport mode (i.e., "MAY implement") > and (2) to retain the transport mode requirement in the form that it > was added in Huntington Beach (i.e., transport mode is required when > RFC 2401 says it is). I am certain that WG rough consensus cannot be > obtained for requiring transport mode in all cases (i.e., without the > "when RFC 2401 says it is" qualifier from Huntington Beach). As I understand tunnel mode, you have an IPsec security gateway in the topology. Among other things, that means we won't readily have end-to-end security, since you have security from the gateway to the device, not necessarily the initiator to the device. How do you suggest we achieve end-to-end security without transport mode a MUST? Specifically the topology I have in mind is I make a dedicated IP SAN, and want ESP from the file servers to the storage boxes. They are all on the same (GigE) subnet. How do I get this level of security (end-to-end) with just tunnel mode? Puzzled, Bill
Home Last updated: Wed Mar 27 13:18:17 2002 9344 messages in chronological order |