RE: IPSec and ESP (Tunnel Mode)

To: Ranga.Sankar@netapp.com, ips@ece.cmu.edu
Subject: RE: IPSec and ESP (Tunnel Mode)
From: Black_David@emc.com
Date: Mon, 21 Apr 2003 18:03:37 -0400
Content-Type: text/plain;charset="iso-8859-1"
Sender: owner-ips@ece.cmu.edu

Ranga,

> The iSCSI specification requires targets (and initiators)
> to support IPSec, with the following specific requirements 
>         * MUST implement IPsec with ESP in tunnel mode. 
> Isnt the tunnel mode typically used by intermediate stations such
> as firewall/vpn/router boxes? 
> Why should this be a MUST for targets which act as end stations?

This was controversial at the time.  A significant portion of the
WG wanted to be able to meet the IPsec requirement via an external
IPsec gateway that would necessarily operate in tunnel mode.  Note
that for this approach, the only interface that fully complies with
the requirements of the (coming soon) iSCSI RFC is on the public side
of the IPsec gateway - the internal interface between iSCSI and the
private side of the gateway does not comply due to the absence of
IPsec.  In addition, all IPsec implementations, including end
stations, are required to implement tunnel mode (e.g., so that
they can talk to intermediate stations).

Thanks,
--David
----------------------------------------------------
David L. Black, Senior Technologist
EMC Corporation, 176 South St., Hopkinton, MA  01748
+1 (508) 293-7953             FAX: +1 (508) 293-7786
black_david@emc.com        Mobile: +1 (978) 394-7754
----------------------------------------------------

Prev by Date: IPSec and ESP (Tunnel Mode)
Next by Date: Re: use of ISID
Prev by thread: IPSec and ESP (Tunnel Mode)
Next by thread: Whether iFCP and FCIP have being approved by IETF??
Index(es):
- Date
- Thread

Home

Last updated: Wed Apr 23 14:19:49 2003
12541 messages in chronological order