SORT BY:

LIST ORDER
THREAD
AUTHOR
SUBJECT


SEARCH

IPS HOME


    [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

    RE: IPSEC target and transport mode



    Bill,
    
    > As I understand tunnel mode, you have an IPsec security gateway in the
    > topology. Among other things, that means we won't readily have end-to-end
    > security, since you have security from the gateway to the device, not
    > necessarily the initiator to the device.
    
    The gateway is possible, but not necessary.  RFC 2401, section 4.1 says:
    
    	Two hosts MAY establish a tunnel mode SA between themselves.
    
    Hence the assertion that end-to-end security is not possible in tunnel
    mode is incorrect.  OTOH, if someone chooses to use a separate security
    gateway packaged with their IP Storage implementation, they
    can only claim compliance with the security requirements of the
    appropriate IP Storage RFC(s) on the secured side of the gateway -
    they have to explain to their customer that there is no IPsec security
    on the (presumably private) link between the IP Storage system and
    the gateway.
    
    > How do you suggest we achieve end-to-end security without 
    > transport mode a MUST?
    
    IPsec security policy (including use and acceptance of ID payloads)
    and decisions about which IKE authentication material is installed
    in what systems and is accepted/required by what other systems.
    Forcing use of transport mode is a poor substitute for putting a
    proper security policy in place.  Ensuring that only the ends of
    interest have the material required to set up the end-to-end SA is
    a good idea.
    
    > Specifically the topology I have in mind is I make a dedicated IP SAN, and
    > want ESP from the file servers to the storage boxes. They are all on the
    > same (GigE) subnet. How do I get this level of security (end-to-end) with
    > just tunnel mode?
    
    Negotiate what you want and make sure that no security gateway between the
    file servers and storage boxes has the IKE authentication material that
    the file servers and storage boxes will require.  Negotiation of the
    encapsulation mode (you can still do transport if you want to, it's just
    not REQUIRED) is supported by SA attribute 4 in Section 4.5 of RFC 2407
    (yes, it's well hidden ...).
    
    Thanks,
    --David
    ---------------------------------------------------
    David L. Black, Senior Technologist
    EMC Corporation, 42 South St., Hopkinton, MA  01748
    +1 (508) 249-6449 *NEW*      FAX: +1 (508) 497-8500
    black_david@emc.com         Cell: +1 (978) 394-7754
    ---------------------------------------------------
    


Home

Last updated: Wed Apr 03 12:18:23 2002
9446 messages in chronological order