Re: Relation between iSCSI session and IPSec SAs

To: cbh@zyfer.com, ips@ece.cmu.edu
Subject: Re: Relation between iSCSI session and IPSec SAs
From: "Bernard Aboba" <bernard_aboba@hotmail.com>
Date: Fri, 03 May 2002 10:47:36 -0700
Content-Type: text/plain; format=flowed
Sender: owner-ips@ece.cmu.edu

>From the minutes of Minneapolis:
>"...a single IPSec Phase 2 SA per TCP connection ...had no security 
> >value."
>I agree and like to extend this:

>"...a single IKE negotiation per multiple iSCSI session (between the >same 
>IP addresses of initiator and target) ...had no security value."

If you are saying that it it doesn't matter how many IKE phase 2 SAs 
correspond to a given IKE Phase 1 SA, then I would agree. Is this what you 
meant?

>Must we negotiate per multiple session (and evaluate packets >additional 
>for a session identifier) or must we not?

I think that the bottom line is that an iSCSI session needs to be protected 
by an IKE phase 2 SA. You can have multiple iSCSI sessions per phase 2 SA. 
You can have multiple phase 2 SAs per phase 1 SA. Those are implementation 
decisions that generally don't influence the security properties, except in 
a few exceptional conditions (e.g. QoS marking, desire to protect iSCSI 
sessions with different transforms).

_________________________________________________________________
Join the world’s largest e-mail service with MSN Hotmail. 
http://www.hotmail.com

Follow-Ups:
- Re: Relation between iSCSI session and IPSec SAs
  - From: Srinivasa Addepalli <srao@intotoinc.com>

Prev by Date: Re: iSCSI: PAK: an alternative to SRP and DH-CHAP
Next by Date: Re: iSCSI: PAK: an alternative to SRP and DH-CHAP
Prev by thread: RE: Relation between iSCSI session and IPSec SAs
Next by thread: Re: Relation between iSCSI session and IPSec SAs
Index(es):
- Date
- Thread

Home

Last updated: Fri May 03 16:18:23 2002
9961 messages in chronological order