SORT BY:

LIST ORDER
THREAD
AUTHOR
SUBJECT


SEARCH

IPS HOME


    [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

    RE: IPSEC target and transport mode



    Excerpt of message (sent 27 March 2002) by Bill Studenmund:
    > On Wed, 27 Mar 2002 Black_David@emc.com wrote:
    > 
    > > Bill,
    > >
    > > > As I understand tunnel mode, you have an IPsec security gateway in the
    > > > topology. Among other things, that means we won't readily have end-to-end
    > > > security, since you have security from the gateway to the device, not
    > > > necessarily the initiator to the device.
    > >
    > > The gateway is possible, but not necessary.  RFC 2401, section 4.1 says:
    > >
    > > 	Two hosts MAY establish a tunnel mode SA between themselves.
    > >
    > > Hence the assertion that end-to-end security is not possible in tunnel
    > > mode is incorrect.  OTOH, if someone chooses to use a separate security
    > > gateway packaged with their IP Storage implementation, they
    > > can only claim compliance with the security requirements of the
    > > appropriate IP Storage RFC(s) on the secured side of the gateway -
    > > they have to explain to their customer that there is no IPsec security
    > > on the (presumably private) link between the IP Storage system and
    > > the gateway.
    > 
    > The examples I've seen of that are cases where security gateways want to
    > talk to each other, *and* they end up using internal addresses to use the
    > tunnel. i.e. not the IP addresses the tunnel is built between. I think
    > you can slide and have the connection to one of the tunnel addresses, but
    > the other one needs to be internal.
    
    There's no restriction on the "inner" address in a tunnel.  It may be
    the same as the outer address (tunnel endpoint address) if the tunnel
    terminates at the same node as the source or destination of the
    protected traffic.  But even in that case you're allowed to use a
    different address if you wish.
     
    > Oh, by basing a MUST in iSCSI on a MAY in RFC 2401, aren't we seting
    > ourselves up for interoperability problems when we hit an IPsec stack on
    > the other end that doesn't support the mode you support?
    
    No, because the "MAY" David quoted indicates that a host has a choice
    of modes it can pick from.  The more important statement in RFC 2401
    is this one, which is the statement of what's mandatory-to-implement:
    
       In summary,
               a) A host MUST support both transport and tunnel mode.
    
    (RFC 2401, top of page 9).
    
    > Let me try that again. I have a file server with an address on the IP SAN
    > at 192.168.1.1, and the iSCSI device is at 192.168.1.3. They have either a
    > cross-over cable or a gig swith between them.
    > 
    > What would the SPDs look like?
    
    "from 192.168.1.1, TCP port x, to 192.168.1.3, port <iscsi>, ESP
    encryption foo, authentication bar" and the reverse.  It's the same
    SPD whether you use tunnel mode or transport mode.
    
    > Have you tried it?
    
    Not recently.  Actually, an interesting wrinkle is that a number of
    security gateways don't implement fine grain (per port) SPDs, in spite
    of RFC 2401.  But apart from that it's pretty straightforward.
    
       paul
    
    


Home

Last updated: Wed Mar 27 16:18:12 2002
9353 messages in chronological order