Re: Relation between iSCSI session and IPSec SAs

["Jussi Kukkonen" <kukkonen@ssh.com>]

Christina's email brings up interesting point:

Is there any benefit in being able to identify iSCSI
TCP session based on the IPSec SA (SPI) alone?

Does it make iSCSI TCP offloading easier when
you can associate inbound datagrams to correct
session using only single lookup based on the SPI?
(or destination address + SPI + protocol, to be exact)

You still need post-IPSec policy enforcement, but this
is only a comparison against known values, not a lookup.

Also, does this "SA per TCP session" model make
load balancing & high availability somehow easier?

I would like to understand what is the usual justification
for separating individual TCP sessions to different SAs.
(and also whether people are doing this or not in iSCSI)


Jussi Kukkonen
Technical Product Manager
SSH Communications Security
www.ssh.com

----- Original Message -----
From: "Christina Helbig" <cbh@zyfer.com>
To: <ips@ece.cmu.edu>
Sent: Monday, April 29, 2002 11:42 AM
Subject: Relation between iSCSI session and IPSec SAs


> Hi,
> I have a question regarding the relation between iSCSI session and the
IPsec
> SAs.
> From the minutes of Minneapolis:
> "...a single IPSec Phase 2 SA per TCP connection ...had no security
value."
> I agree and like to extend this:
> "...a single IKE negotiation per multiple iSCSI session (between the same
IP
> addresses of initiator and target) ...had no security value."
> I found a similar statement in the mailing list from February but no
> discussion about this issue:
> "If an implementor wants to put all their iSCSI sessions on the same IPSec
> SA, I think they should have that liberty."
> So the question is, what is the situation? Must we negotiate per multiple
> session (and evaluate packets additional for a session identifier) or must
> we not?
> Thank you for the answer.
>
>
> Christina Helbig
> Sr. Security System Analyst
> Zyfer
> cbh@zyfer.com
> tel: 714 780 7618
> fax:714 780 7649
>
>