Re: iSCSI and IPSec

["John Hufferd" <hufferd@us.ibm.com>]

Bill,
Though you are correct, the way you state it is as if Tunnel mode is some
how easier to implement then Transport mode, or as if Encryption is not
needed to be implemented.  Now I am sure you did not mean that, so perhaps
I should restate you answer as follows:
* IPsec is a MUST be implemented: That is Data Integrity and Authentication
Must be implemented

* IPsec is also a MUST implement Confidentiality (encryption).

* All of the above MUST be implemented in Tunnel Mode, and If the IPsec
implementation of an iSCSI initiator or target conforms to the [RFC2401]
definition of a host, then to comply with section 4.1 of [RFC2401] it MUST
also implement the above in Transport mode.

* So the thing you know for sure is that Tunnel mode MUST be implemented,
and sometimes Transport mode will also be implemented.

*However, the end customer has the freedom to turn on all or part of what
ever IPsec version it has implemented.

.
.
.
John L. Hufferd
Senior Technical Staff Member (STSM)
IBM/SSG San Jose Ca
Main Office (408) 256-0403, Tie: 276-0403,  eFax: (408) 904-4688
Home Office (408) 997-6136, Cell: (408) 499-9702
Internet address: hufferd@us.ibm.com


Bill Studenmund <wrstuden@wasabisystems.com>@ece.cmu.edu on 05/09/2002
01:01:45 PM

Sent by:    owner-ips@ece.cmu.edu


To:    Shahram Davari <Shahram_Davari@pmc-sierra.com>
cc:    "'ips@ece.cmu.edu'" <ips@ece.cmu.edu>
Subject:    Re: iSCSI and IPSec



On Thu, 9 May 2002, Shahram Davari wrote:

> Hi,
>
> Is IPSec supported in iSCSI? and if so, is it optional to use or
mandatory?

IPsec is a MUST. Though you can get away with just tunnel mode.

Take care,

Bill