RE: I-D ACTION:draft-ietf-ips-security-04.txt

["Saqib Jang" <saqibj@margallacomm.com>]

Have a couple of quick questions about the transport vs. tunnel mode;
discussion in the firewall traversal section of the latest draft.
The section reads:

     Firewall traversal. Where a storage protocol is to traverse
     administrative domains, the firewall administrator may desire to
     verify the integrity and authenticity of each transiting packet,
     rather than opening a hole in the firewall for the storage
     protocol. IPsec tunnel mode lends itself to such verification,
     since the firewall can terminate the tunnel mode connection while
     still allowing the endpoints to communicate end-to-end. If desired,
     the endpoints can in addition utilize IPsec transport mode for end-
     to-end security, so that they can also verify authenticity and
     integrity of each packet for themselves.

My question is how important is the requirement for firewall adminstrators
to "verify the integrity and authenticity of each transiting packet" if
the iSCSI endpoints are using transport-mode IPsec/ESP (implying
authentication
and integrity checking) connections. Why would (in this case) opening a hole
in the firewall to allow traversal of IPsec traffic not be sufficient? Also,
are there potential latency issues that may arise if the firewall
is terminating IPsec (vs. iSCSI end-points terminating IPsec). I see
the emergence of IPsec acceleration in iSCSI end-points (vs. in
general-purpose
firewalls) to be a more like scenario.

Saqib

Saqib Jang
Margalla Communications, Inc.
3301 El Camino Real, Suite 220
Atherton, CA 94027
Ph: 650 298 8462
Fax: 650 851 1613