[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

    RE: IPsec Usage Question

    Addendum to my previous note about tunnels and IPsec gateways, because
    the examples I gave don't make the issue clear.
    The issue is: given how security gateways are used, is the inner
    address == outer address restriction acceptable?
    Consider a situation where a set of initiators are protected by a
    (separate) IPsec gateway.  There are plenty of reasons for using that
    setup: (1) lower cost than per-HBA high speed crypto, (2) centralized
    security management is easier, (3) centralized security management is
    required by organization policy, (n) etc.  On the other hand, the
    target is an iSCSI node whose built-in IPsec is used.  (Perhaps it's
    managed separately; perhaps since there is only one node is it
    considered more sensible not to stick an IPsec gateway in front of
    it.)  Let's assume that node doesn't need a separate outer IPsec
    In that setting, the I->T packets will have innerDA == outerDA and
    innerSA != outerSA, while the T->I packets will have innerSA == outerSA 
    and innerDA != outerDA.
    Note also that in this scenario it doesn't matter to the initiators
    whether the target uses inner == outer.  The initiators talk to the
    inner address of the target; only the IPsec gateway needs to know that
    that traffic goes into the tunnel to the target, and what the outer
    address for the tunnel is.  (And that has to be IPsec management, not
    IPS management, since the IPsec gateway doesn't participate in any IPS
    So in summary: since it's not acceptable to rule out the use of
    separate IPsec security gateways at one end of an IPS connection, it
    follows that you must allow inner != outer address.


Last updated: Tue Feb 05 00:18:02 2002
8629 messages in chronological order