RE: iSCSI: IPsec tunnel / transport mode decision

To: "Bill Strahm" <bill@sanera.net>
Subject: RE: iSCSI: IPsec tunnel / transport mode decision
From: "Ofer Biran" <BIRAN@il.ibm.com>
Date: Tue, 6 Nov 2001 21:53:05 +0200
Cc: <saqibj@margallacomm.com>, <ips@ece.cmu.edu>
Content-type: text/plain; charset=us-ascii
Importance: Normal
Sender: owner-ips@ece.cmu.edu

Bill,

I agree that you can make external devices that support transport mode,
but it seems that most of those existing today do not support it.

Anyway for our required decision... you also said you prefer tunnel mode,
right ?

  Regards,
    Ofer



Ofer Biran
Storage and Systems Technology
IBM Research Lab in Haifa
biran@il.ibm.com  972-4-8296253


"Bill Strahm" <bill@Sanera.net> on 04/11/2001 21:39:22

Please respond to "Bill Strahm" <bill@Sanera.net>

To:   Ofer Biran/Haifa/IBM@IBMIL, <saqibj@margallacomm.com>
cc:   <ips@ece.cmu.edu>
Subject:  RE: iSCSI: IPsec tunnel / transport mode decision



Ok,

How does mandatory Transport mode remove the possibility of external
IPsec...

I have said before I can make IPsec transport & tunnel mode work in
external
devices, just like you can do SSL/TLS accelerators both internally and
externally

Bill

-----Original Message-----
From: owner-ips@ece.cmu.edu [mailto:owner-ips@ece.cmu.edu]On Behalf Of
Ofer Biran
Sent: Sunday, November 04, 2001 4:27 AM
To: saqibj@margallacomm.com
Cc: ips@ece.cmu.edu
Subject: RE: iSCSI: IPsec tunnel / transport mode decision


Saqib,

Mandatory transport mode would make bundling of external IPSec
impossible, while tunnel mode is not more difficult to implement
within the iSCSI endpoint than transport mode.

"Cost of ownership and complexity of deploying a stand-alone
IPsec gateway" might be among the considerations of vendors and
customers, but I don't think the standard should block such
solutions (and  it blocks more than just stand-alone IPsec
gateway).

  Regards,
   Ofer


Ofer Biran
Storage and Systems Technology
IBM Research Lab in Haifa
biran@il.ibm.com  972-4-8296253


"Saqib Jang" <saqibj@margallacomm.com> on 02/11/2001 20:59:03

Please respond to <saqibj@margallacomm.com>

To:   "Bill Strahm" <bill@sanera.net>, "CAVANNA,VICENTE V
      (A-Roseville,ex1)" <vince_cavanna@agilent.com>
cc:   "SHEEHY,DAVE (A-Americas,unix1)" <dave_sheehy@agilent.com>, Ofer
      Biran/Haifa/IBM@IBMIL, <ips@ece.cmu.edu>
Subject:  RE: iSCSI: IPsec tunnel / transport mode decision



What about the cost of ownership and complexity of deploying
a stand-alone IPsec gateway for use with IPsec end-points?
If transport-mode IPsec is a must-to-implement capability in
iSCSI end-points there is an opportunity to have much
more coherent security for iSCSI.

Saqib

Follow-Ups:
- RE: iSCSI: IPsec tunnel / transport mode decision
  - From: "Bill Strahm" <bill@sanera.net>

Prev by Date: Re: iSCSI: Out of order commands, was current UNH Plugfest
Next by Date: Re: iSCSI: resend of diagram from 2.5.1
Prev by thread: RE: iSCSI: IPsec tunnel / transport mode decision
Next by thread: RE: iSCSI: IPsec tunnel / transport mode decision
Index(es):
- Date
- Thread

Home

Last updated: Tue Nov 06 17:17:30 2001
7590 messages in chronological order