[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

    RE: IPsec Usage Question

    I agree with Paul, the association of *any* internal network address to any
    external mapping is  an IPSec configuration concern!  To state that another
    way, that is a generic IPSec security gateway configuration detail.  I can't
    speak for iSNS, but this information does *not* belong in the SendTargets
    command or the iSCSI portion of SLP!  That very notion violates
    architectural layering principals - iSCSI has no need to know about IPSec
    headers which will be stripped off before the iSCSI processing layer
    receives the packet.
    It is true that security gateways in general have implications to the
    accessability of *every* service behind that gateway.  But the solution does
    not lie in sprinkling pieces of the IPSec configuration into all of those
    service configuration mechanisms!  As Paul suggests, this should be handled
    by the IPSec configuration management tools.
    We've already agreed that sendTargets should contain only information
    directly related to iSCSI configuration (knowledge within the iSCSI
    "entity") - see this thread  Just say No! to
    feature creep... :-)
    Marjorie Krueger
    Networked Storage Architecture
    Networked Storage Solutions Org.
    tel: +1 916 785 2656
    fax: +1 916 785 0391
    > -----Original Message-----
    > From: Paul Koning []
    > Sent: Friday, February 01, 2002 12:54 PM
    > To:
    > Cc:
    > Subject: RE: IPsec Usage Question
    > Excerpt of message (sent 1 February 2002) by
    > > Mandating the same addresses in the inner and outer header is a "big
    > > hammer" that may not be the right course of action.  OTOH, if one
    > > needs to know both the inner and outer IP addresses in 
    > order to contact
    > > a target, that has implications for the functionality/usage of Send
    > > Targets, iSNS, and SLP.  My underlying goal is to figure out whether
    > > we need to put support for two IP addresses per target into those
    > > configuration mechanisms (this would apply to FCIP, iFCP, 
    > and iSCSI).
    > Managing the mapping from the inner address to the outer address is
    > a function of IPsec management -- that's the policy database which
    > defines which host traffic is protected by what tunnel.
    > It's tempting to try to avoid IPsec management by addressing
    > restrictions such as you mentioned here, but that does not help.
    > There are about a dozen parameters for an IPsec SA, and you can't
    > hardware all of them in the standard.  Trying to attack this by the
    > restriction you proposed, even if feasible, only takes care of a
    > fraction of the IPsec management you need.
    > I would think that IP Storage mechanisms such as Send Targets or iSNS
    > should concern themselves with storage, not with other components like
    > IPsec.  So yes, you need IPsec management (including tunnel
    > addressing) but no, it's not the job of IP Storage mechanisms to
    > administer those parameters.
    >      paul


Last updated: Sat Feb 02 17:18:02 2002
8609 messages in chronological order