RE: IPsec Usage Question

To: BIRAN@il.ibm.com
Subject: RE: IPsec Usage Question
From: Paul Koning <ni1d@arrl.net>
Date: Tue, 5 Feb 2002 11:52:28 -0500
Cc: Black_David@emc.com, marjorie_krueger@hp.com, ips@ece.cmu.edu
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset=us-ascii
References: <OF0771893C.4E656A98-ONC2256B57.000EA955@telaviv.ibm.com>
Sender: owner-ips@ece.cmu.edu

Excerpt of message (sent 5 February 2002) by Ofer Biran:
> 
> Paul,
> 
> >This example MUST work.  So you cannot require inner == outer
> >address, because that translates into saying that IP Storage cannot be
> >protected by a site to site IPsec tunnel.
> 
> This is not Kansas any more... The iSCSI devices on both sites (assuming
> that's their only IPsec protection) are not iSCSI compliant. This
> definitely
> doesn't cover the IPsec protection mandated by iSCSI.

No, you're mistaken.

I said nothing about what the iSCSI devices IMPLEMENT.  I only talked
about what was IN USE by the customer.  In the example, the customer
chose to USE a different security mechanism for reasons of cost,
convenience, site policy, or whatever.

Remember that the proposed requirement is "required to implement" and
NOT "required to use".

My interpretation of having "use" be optional is that you also have
the option of securing your traffic via other means.  

Am I right?  Or is it the intent of the WG to say that no other
security mechanisms are allowed -- if you want security you MUST use
the one that is mandated in iSCSI nodes?  If so, for what reason?

    paul

References:
- RE: IPsec Usage Question
  - From: "Ofer Biran" <BIRAN@il.ibm.com>

Prev by Date: RE: IPsec Usage Question
Next by Date: Re: Small Editorial Change
Prev by thread: RE: IPsec Usage Question
Next by thread: RE: IPsec Usage Question
Index(es):
- Date
- Thread

Home

Last updated: Tue Feb 05 13:17:56 2002
8643 messages in chronological order