RE: IPSEC target and transport mode

To: wrstuden@wasabisystems.com
Subject: RE: IPSEC target and transport mode
From: Paul Koning <ni1d@arrl.net>
Date: Wed, 27 Mar 2002 15:28:21 -0500
Cc: ips@ece.cmu.edu
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset=us-ascii
References: <277DD60FB639D511AC0400B0D068B71E02937666@CORPMX14><Pine.NEB.4.33.0203271018280.365-100000@candlekeep.home-net.internetconnect.net>
Sender: owner-ips@ece.cmu.edu

Excerpt of message (sent 27 March 2002) by Bill Studenmund:
> On Wed, 27 Mar 2002 Black_David@emc.com wrote:
> 
> > Bill,
> >
> > > As I understand tunnel mode, you have an IPsec security gateway in the
> > > topology. Among other things, that means we won't readily have end-to-end
> > > security, since you have security from the gateway to the device, not
> > > necessarily the initiator to the device.
> >
> > The gateway is possible, but not necessary.  RFC 2401, section 4.1 says:
> >
> > 	Two hosts MAY establish a tunnel mode SA between themselves.
> >
> > Hence the assertion that end-to-end security is not possible in tunnel
> > mode is incorrect.  OTOH, if someone chooses to use a separate security
> > gateway packaged with their IP Storage implementation, they
> > can only claim compliance with the security requirements of the
> > appropriate IP Storage RFC(s) on the secured side of the gateway -
> > they have to explain to their customer that there is no IPsec security
> > on the (presumably private) link between the IP Storage system and
> > the gateway.
> 
> The examples I've seen of that are cases where security gateways want to
> talk to each other, *and* they end up using internal addresses to use the
> tunnel. i.e. not the IP addresses the tunnel is built between. I think
> you can slide and have the connection to one of the tunnel addresses, but
> the other one needs to be internal.

There's no restriction on the "inner" address in a tunnel.  It may be
the same as the outer address (tunnel endpoint address) if the tunnel
terminates at the same node as the source or destination of the
protected traffic.  But even in that case you're allowed to use a
different address if you wish.

> Oh, by basing a MUST in iSCSI on a MAY in RFC 2401, aren't we seting
> ourselves up for interoperability problems when we hit an IPsec stack on
> the other end that doesn't support the mode you support?

No, because the "MAY" David quoted indicates that a host has a choice
of modes it can pick from.  The more important statement in RFC 2401
is this one, which is the statement of what's mandatory-to-implement:

   In summary,
           a) A host MUST support both transport and tunnel mode.

(RFC 2401, top of page 9).

> Let me try that again. I have a file server with an address on the IP SAN
> at 192.168.1.1, and the iSCSI device is at 192.168.1.3. They have either a
> cross-over cable or a gig swith between them.
> 
> What would the SPDs look like?

"from 192.168.1.1, TCP port x, to 192.168.1.3, port <iscsi>, ESP
encryption foo, authentication bar" and the reverse.  It's the same
SPD whether you use tunnel mode or transport mode.

> Have you tried it?

Not recently.  Actually, an interesting wrinkle is that a number of
security gateways don't implement fine grain (per port) SPDs, in spite
of RFC 2401.  But apart from that it's pretty straightforward.

   paul

References:
- RE: IPSEC target and transport mode
  - From: Black_David@emc.com
- RE: IPSEC target and transport mode
  - From: Bill Studenmund <wrstuden@wasabisystems.com>

Prev by Date: Re: iSCSI: Login stage transition; T bit
Next by Date: RE: IPSEC target and transport mode
Prev by thread: RE: IPSEC target and transport mode
Next by thread: RE: IPSEC target and transport mode
Index(es):
- Date
- Thread

Home

Last updated: Wed Mar 27 16:18:12 2002
9353 messages in chronological order