RE: IPsec Usage Question

[Paul Koning <ni1d@arrl.net>]

Excerpt of message (sent 1 February 2002) by Black_David@emc.com:
> Mandating the same addresses in the inner and outer header is a "big
> hammer" that may not be the right course of action.  OTOH, if one
> needs to know both the inner and outer IP addresses in order to contact
> a target, that has implications for the functionality/usage of Send
> Targets, iSNS, and SLP.  My underlying goal is to figure out whether
> we need to put support for two IP addresses per target into those
> configuration mechanisms (this would apply to FCIP, iFCP, and iSCSI).

Managing the mapping from the inner address to the outer address is
a function of IPsec management -- that's the policy database which
defines which host traffic is protected by what tunnel.

It's tempting to try to avoid IPsec management by addressing
restrictions such as you mentioned here, but that does not help.
There are about a dozen parameters for an IPsec SA, and you can't
hardware all of them in the standard.  Trying to attack this by the
restriction you proposed, even if feasible, only takes care of a
fraction of the IPsec management you need.

I would think that IP Storage mechanisms such as Send Targets or iSNS
should concern themselves with storage, not with other components like
IPsec.  So yes, you need IPsec management (including tunnel
addressing) but no, it's not the job of IP Storage mechanisms to
administer those parameters.

     paul