|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: IPSEC target and transport modeExcerpt of message (sent 27 March 2002) by Bill Studenmund: > On Wed, 27 Mar 2002 Black_David@emc.com wrote: > > > Bill, > > > > > As I understand tunnel mode, you have an IPsec security gateway in the > > > topology. Among other things, that means we won't readily have end-to-end > > > security, since you have security from the gateway to the device, not > > > necessarily the initiator to the device. > > > > The gateway is possible, but not necessary. RFC 2401, section 4.1 says: > > > > Two hosts MAY establish a tunnel mode SA between themselves. > > > > Hence the assertion that end-to-end security is not possible in tunnel > > mode is incorrect. OTOH, if someone chooses to use a separate security > > gateway packaged with their IP Storage implementation, they > > can only claim compliance with the security requirements of the > > appropriate IP Storage RFC(s) on the secured side of the gateway - > > they have to explain to their customer that there is no IPsec security > > on the (presumably private) link between the IP Storage system and > > the gateway. > > The examples I've seen of that are cases where security gateways want to > talk to each other, *and* they end up using internal addresses to use the > tunnel. i.e. not the IP addresses the tunnel is built between. I think > you can slide and have the connection to one of the tunnel addresses, but > the other one needs to be internal. There's no restriction on the "inner" address in a tunnel. It may be the same as the outer address (tunnel endpoint address) if the tunnel terminates at the same node as the source or destination of the protected traffic. But even in that case you're allowed to use a different address if you wish. > Oh, by basing a MUST in iSCSI on a MAY in RFC 2401, aren't we seting > ourselves up for interoperability problems when we hit an IPsec stack on > the other end that doesn't support the mode you support? No, because the "MAY" David quoted indicates that a host has a choice of modes it can pick from. The more important statement in RFC 2401 is this one, which is the statement of what's mandatory-to-implement: In summary, a) A host MUST support both transport and tunnel mode. (RFC 2401, top of page 9). > Let me try that again. I have a file server with an address on the IP SAN > at 192.168.1.1, and the iSCSI device is at 192.168.1.3. They have either a > cross-over cable or a gig swith between them. > > What would the SPDs look like? "from 192.168.1.1, TCP port x, to 192.168.1.3, port <iscsi>, ESP encryption foo, authentication bar" and the reverse. It's the same SPD whether you use tunnel mode or transport mode. > Have you tried it? Not recently. Actually, an interesting wrinkle is that a number of security gateways don't implement fine grain (per port) SPDs, in spite of RFC 2401. But apart from that it's pretty straightforward. paul
Home Last updated: Wed Mar 27 16:18:12 2002 9353 messages in chronological order |