[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

    RE: IPsec Usage Question

    An SA only needs to be set up if it isn't in place already.  How often this
    happens can be controlled through configuration:
    - Does the discovery traffic use the same SA as other traffic, or does it
    require a unique SA?
    - How often is discovery performed?
    - How long does an SA stay in place when there is no traffic?
    It should be possible to choose these parameters so that IPsec doesn't
    unduly burden discovery, perhaps suggestions for the above could be included
    in the standard.
    Best Regards,
    Joseph D. Harwood
    (408) 838-9434
    > |This approach works, but it
    > |makes dynamic
    > |discovery much more difficult to use with security gateways.  To the
    > |extent that this biases IP storage against the use of security
    > |gateways,
    > |it will make my life easier in dealing with the folks who want to make
    > |absolutely sure that IP Storage uses end-to-end security, but I wanted
    > |to make sure that the practical configuration consequences of this
    > |approach were understood.
    > Even if the granularity of the security policy permits discovery (allows a
    > target to be reached for discovery purposes) the process will be slow.
    > Discovery cannot occur until an SA has been established between
    > any security
    > endpoints that may exist in the path between the iSCSI initiator
    > and target.
    > I don't know how directed the dynamic discovery mechanisms are
    > but it seems
    > as if this is going to be a very slow process even in simple cases where
    > there are no nested tunnels.
    > Consider a simple case of a target in some remote protected subnet and the
    > initiator in a local protected subnet. Each subnet has a security
    > gateway to
    > the internet and both gateways secure all traffic between themselves by
    > means of an IPsec tunnel.
    > The first packet sent by the initiator to some target's IP will trigger an
    > IKE exchange to the remote security gateway (whose IP is in the Security
    > Policy database of the local security gateway) to establish the IPSec SAs.
    > Depending on how the policy is setup, packets from the initiator to a
    > different target IP may require a different IPSec SA to be setup.
    > Imagine when there are nested tunnels because there is, in the
    > path between
    > initiator and target,  a company security gateway followed by  a
    > department
    > security gateway! In this case a security association must first be
    > established with the corporate security gateway before a security
    > association can be established with the department security gateway.
    > Yes, it appears that the combination of IPSec and peer discovery is ugly
    > indeed!


Last updated: Tue Feb 05 12:17:58 2002
8638 messages in chronological order