RE: iSCSI: IPsec tunnel / transport mode decision

To: bill@sanera.net, ips@ece.cmu.edu
Subject: RE: iSCSI: IPsec tunnel / transport mode decision
From: sandeepj@research.bell-labs.com (Sandeep Joshi)
Date: Wed, 7 Nov 2001 12:55:09 -0500 (EST)
Sender: owner-ips@ece.cmu.edu

Bill,

> I actually would prefer if we didn't say anything other than a statement
> saying "Here is a policy that will cover IPS traffic" from there it is up to
> compliant IPsec implementations to utilize this policy...
> 
> Being that the WG feels that just specifying a coverage policy is adequate,
> but must get into specifying portions of the IPsec functionality, I would
> prefer Tunnel mode, because as far as I can tell, no one has shown a
> functional e-e transport mode implementation in the wild...
> 
> Can anyone point to one ?

I think Borderware has a bridge proxy which supports 
transport mode but you would need to double-check.

You must be aware of OpenBSD's bridging which came close 
but did not do transport mode, since RFC 2401 requires 
that transport mode must not be applied to IP fragments.  

Anything In the wild..? dunno

-Sandeep

> 
> Bill
> +========+=========+=========+=========+=========+=========+=========+
> Bill Strahm     Software Development is a race between Programmers
> Member of the   trying to build bigger and better idiot proof software
> Technical Staff and the Universe trying to produce bigger and better
> bill@sanera.net idiots.
> (503) 601-0263  So far the Universe is winning --- Rich Cook
> 
> > -----Original Message-----
> > From: Ofer Biran [mailto:BIRAN@il.ibm.com]
> > Sent: Tuesday, November 06, 2001 11:53 AM
> > To: Bill Strahm
> > Cc: saqibj@margallacomm.com; ips@ece.cmu.edu
> > Subject: RE: iSCSI: IPsec tunnel / transport mode decision
> > 
> > Bill,
> > 
> > I agree that you can make external devices that support transport mode,
> > but it seems that most of those existing today do not support it.
> > 
> > Anyway for our required decision... you also said you prefer tunnel mode,
> > right ?
> > 
> > Regards,
> > Ofer
> > 
> > Ofer Biran
> > Storage and Systems Technology
> > IBM Research Lab in Haifa
> > biran@il.ibm.com  972-4-8296253
> > 
> > > "Bill Strahm" <bill@Sanera.net> on 04/11/2001 21:39:22
> > > 
> > > Please respond to "Bill Strahm" <bill@Sanera.net>
> > > 
> > > To:   Ofer Biran/Haifa/IBM@IBMIL, <saqibj@margallacomm.com>
> > > cc:   <ips@ece.cmu.edu>
> > > Subject:  RE: iSCSI: IPsec tunnel / transport mode decision
> > > 
> > > Ok,
> > > 
> > > How does mandatory Transport mode remove the possibility of external
> > > IPsec...
> > > 
> > > I have said before I can make IPsec transport & tunnel mode work in
> > > external
> > > devices, just like you can do SSL/TLS accelerators both internally and
> > > externally
> > > 
> > > Bill
> > > 
> > > -----Original Message-----
> > > From: owner-ips@ece.cmu.edu [mailto:owner-ips@ece.cmu.edu]On Behalf Of
> > > Ofer Biran
> > > Sent: Sunday, November 04, 2001 4:27 AM
> > > To: saqibj@margallacomm.com
> > > Cc: ips@ece.cmu.edu
> > > Subject: RE: iSCSI: IPsec tunnel / transport mode decision
> > > 
> > > Saqib,
> > > 
> > > Mandatory transport mode would make bundling of external IPSec
> > > impossible, while tunnel mode is not more difficult to implement
> > > within the iSCSI endpoint than transport mode.
> > > 
> > > "Cost of ownership and complexity of deploying a stand-alone
> > > IPsec gateway" might be among the considerations of vendors and
> > > customers, but I don't think the standard should block such
> > > solutions (and  it blocks more than just stand-alone IPsec
> > > gateway).
> > > 
> > > Regards,
> > > Ofer
> > > 
> > > Ofer Biran
> > > Storage and Systems Technology
> > > IBM Research Lab in Haifa
> > > biran@il.ibm.com  972-4-8296253
> > > 
> > > "Saqib Jang" <saqibj@margallacomm.com> on 02/11/2001 20:59:03
> > > 
> > > Please respond to <saqibj@margallacomm.com>
> > > 
> > > To:   "Bill Strahm" <bill@sanera.net>, "CAVANNA,VICENTE V
> > > (A-Roseville,ex1)" <vince_cavanna@agilent.com>
> > > cc:   "SHEEHY,DAVE (A-Americas,unix1)" <dave_sheehy@agilent.com>, Ofer
> > > Biran/Haifa/IBM@IBMIL, <ips@ece.cmu.edu>
> > > Subject:  RE: iSCSI: IPsec tunnel / transport mode decision
> > > 
> > > What about the cost of ownership and complexity of deploying
> > > a stand-alone IPsec gateway for use with IPsec end-points?
> > > If transport-mode IPsec is a must-to-implement capability in
> > > iSCSI end-points there is an opportunity to have much
> > > more coherent security for iSCSI.
> > > 
> > > Saqib
> > >

Prev by Date: Re: iSCSI: Out of order commands
Next by Date: Re: iSCSI: Out of order commands
Prev by thread: RE: iSCSI: IPsec tunnel / transport mode decision
Next by thread: RE: iSCSI: IPsec tunnel / transport mode decision
Index(es):
- Date
- Thread

Home

Last updated: Fri Nov 09 13:17:38 2001
7697 messages in chronological order