[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

    RE: IPsec Usage Question

    Excerpt of message (sent 1 February 2002) by
    > Mandating the same addresses in the inner and outer header is a "big
    > hammer" that may not be the right course of action.  OTOH, if one
    > needs to know both the inner and outer IP addresses in order to contact
    > a target, that has implications for the functionality/usage of Send
    > Targets, iSNS, and SLP.  My underlying goal is to figure out whether
    > we need to put support for two IP addresses per target into those
    > configuration mechanisms (this would apply to FCIP, iFCP, and iSCSI).
    Managing the mapping from the inner address to the outer address is
    a function of IPsec management -- that's the policy database which
    defines which host traffic is protected by what tunnel.
    It's tempting to try to avoid IPsec management by addressing
    restrictions such as you mentioned here, but that does not help.
    There are about a dozen parameters for an IPsec SA, and you can't
    hardware all of them in the standard.  Trying to attack this by the
    restriction you proposed, even if feasible, only takes care of a
    fraction of the IPsec management you need.
    I would think that IP Storage mechanisms such as Send Targets or iSNS
    should concern themselves with storage, not with other components like
    IPsec.  So yes, you need IPsec management (including tunnel
    addressing) but no, it's not the job of IP Storage mechanisms to
    administer those parameters.


Last updated: Fri Feb 01 17:17:55 2002
8597 messages in chronological order