Re: IPsec Usage Question

[Paul Koning <ni1d@arrl.net>]

Excerpt of message (sent 31 January 2002) by Black_David@emc.com:
> In Salt Lake City, I asked folks to become familiar with
> existing IPsec implementations that they plan to (re)use.  I
> now have a specific question about this that I need answers
> to - send the answers to me directly to avoid inadvertently
> revealing implementation plans (I promise to keep them
> private).
> 
> Q: Does the IPsec implementation you plan to use require
> 	that the inner IP address be different from the outer
> 	IP address for traffic that is to pass through IPsec
> 	to the IP Storage (iSCSI, iFCP, FCIP) system?
> Follow-up: If so, how do you plan to configure your system
> 	to securely access a peer IP Storage system from
> 	another vendor that also has this requirement?
> 
> The underlying concern is that requiring that the inner
> and outer IP addresses always be the same would visibly
> simplify the configuration required to use IPsec with
> the IP Storage protocols.

I'm not sure if this is what you intended, but I'm reading this to say
that IPsec as used with IP Storage would mandate the same IP addresses
on inner and outer header.

If so, that is equivalent to prohibiting external security gateways.
This is not good.  I understand that there are people who feel that an
external security gateway is not necessarily the right way to address
security concerns in IP Storage.  But that's a long way from
prohibiting their use entirely.

If that wasn't your intent, could you clarify what you're after?  If
the goal is to *permit* inner == outer, that's fine.  That's commonly
supported because that situation occurs when you tunnel from a single
host to a site protected by an IPsec gateway.  And yes, allowing inner
== outer in that case indeed makes things slightly easier.

     paul