|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: Relation between iSCSI session and IPSec SAsChristina's email brings up interesting point: Is there any benefit in being able to identify iSCSI TCP session based on the IPSec SA (SPI) alone? Does it make iSCSI TCP offloading easier when you can associate inbound datagrams to correct session using only single lookup based on the SPI? (or destination address + SPI + protocol, to be exact) You still need post-IPSec policy enforcement, but this is only a comparison against known values, not a lookup. Also, does this "SA per TCP session" model make load balancing & high availability somehow easier? I would like to understand what is the usual justification for separating individual TCP sessions to different SAs. (and also whether people are doing this or not in iSCSI) Jussi Kukkonen Technical Product Manager SSH Communications Security www.ssh.com ----- Original Message ----- From: "Christina Helbig" <cbh@zyfer.com> To: <ips@ece.cmu.edu> Sent: Monday, April 29, 2002 11:42 AM Subject: Relation between iSCSI session and IPSec SAs > Hi, > I have a question regarding the relation between iSCSI session and the IPsec > SAs. > From the minutes of Minneapolis: > "...a single IPSec Phase 2 SA per TCP connection ...had no security value." > I agree and like to extend this: > "...a single IKE negotiation per multiple iSCSI session (between the same IP > addresses of initiator and target) ...had no security value." > I found a similar statement in the mailing list from February but no > discussion about this issue: > "If an implementor wants to put all their iSCSI sessions on the same IPSec > SA, I think they should have that liberty." > So the question is, what is the situation? Must we negotiate per multiple > session (and evaluate packets additional for a session identifier) or must > we not? > Thank you for the answer. > > > Christina Helbig > Sr. Security System Analyst > Zyfer > cbh@zyfer.com > tel: 714 780 7618 > fax:714 780 7649 > >
Home Last updated: Thu May 02 11:18:56 2002 9939 messages in chronological order |