|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: Relation between iSCSI session and IPSec SAs>From the minutes of Minneapolis: >"...a single IPSec Phase 2 SA per TCP connection ...had no security > >value." >I agree and like to extend this: >"...a single IKE negotiation per multiple iSCSI session (between the >same >IP addresses of initiator and target) ...had no security value." If you are saying that it it doesn't matter how many IKE phase 2 SAs correspond to a given IKE Phase 1 SA, then I would agree. Is this what you meant? >Must we negotiate per multiple session (and evaluate packets >additional >for a session identifier) or must we not? I think that the bottom line is that an iSCSI session needs to be protected by an IKE phase 2 SA. You can have multiple iSCSI sessions per phase 2 SA. You can have multiple phase 2 SAs per phase 1 SA. Those are implementation decisions that generally don't influence the security properties, except in a few exceptional conditions (e.g. QoS marking, desire to protect iSCSI sessions with different transforms). _________________________________________________________________ Join the world’s largest e-mail service with MSN Hotmail. http://www.hotmail.com
Home Last updated: Fri May 03 16:18:23 2002 9961 messages in chronological order |