SORT BY:

LIST ORDER
THREAD
AUTHOR
SUBJECT


SEARCH

IPS HOME


    [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

    Re: Relation between iSCSI session and IPSec SAs



    Christina's email brings up interesting point:
    
    Is there any benefit in being able to identify iSCSI
    TCP session based on the IPSec SA (SPI) alone?
    
    Does it make iSCSI TCP offloading easier when
    you can associate inbound datagrams to correct
    session using only single lookup based on the SPI?
    (or destination address + SPI + protocol, to be exact)
    
    You still need post-IPSec policy enforcement, but this
    is only a comparison against known values, not a lookup.
    
    Also, does this "SA per TCP session" model make
    load balancing & high availability somehow easier?
    
    I would like to understand what is the usual justification
    for separating individual TCP sessions to different SAs.
    (and also whether people are doing this or not in iSCSI)
    
    
    Jussi Kukkonen
    Technical Product Manager
    SSH Communications Security
    www.ssh.com
    
    ----- Original Message -----
    From: "Christina Helbig" <cbh@zyfer.com>
    To: <ips@ece.cmu.edu>
    Sent: Monday, April 29, 2002 11:42 AM
    Subject: Relation between iSCSI session and IPSec SAs
    
    
    > Hi,
    > I have a question regarding the relation between iSCSI session and the
    IPsec
    > SAs.
    > From the minutes of Minneapolis:
    > "...a single IPSec Phase 2 SA per TCP connection ...had no security
    value."
    > I agree and like to extend this:
    > "...a single IKE negotiation per multiple iSCSI session (between the same
    IP
    > addresses of initiator and target) ...had no security value."
    > I found a similar statement in the mailing list from February but no
    > discussion about this issue:
    > "If an implementor wants to put all their iSCSI sessions on the same IPSec
    > SA, I think they should have that liberty."
    > So the question is, what is the situation? Must we negotiate per multiple
    > session (and evaluate packets additional for a session identifier) or must
    > we not?
    > Thank you for the answer.
    >
    >
    > Christina Helbig
    > Sr. Security System Analyst
    > Zyfer
    > cbh@zyfer.com
    > tel: 714 780 7618
    > fax:714 780 7649
    >
    >
    
    


Home

Last updated: Thu May 02 11:18:56 2002
9939 messages in chronological order