Re: IPSEC target and transport mode

[Bill Studenmund <wrstuden@wasabisystems.com>]

Sorry if this goes out twice, I think my mailer ate it the first time.

On Tue, 26 Mar 2002 Black_David@emc.com wrote:

> While I believe the current situation does represent rough consensus
> of the WG, there was a visible minority in the meeting who dissented
> from this decision, and essentially no time to discuss it.  Hence,
> this is an opportunity for those who would like to see the transport
> mode requirement from Huntington Beach retained to explain why on the
> list and see if they can convince the WG.  The only available options
> are (1) to drop all requirements for transport mode (i.e., "MAY implement")
> and (2) to retain the transport mode requirement in the form that it
> was added in Huntington Beach (i.e., transport mode is required when
> RFC 2401 says it is).  I am certain that WG rough consensus cannot be
> obtained for requiring transport mode in all cases (i.e., without the
> "when RFC 2401 says it is" qualifier from Huntington Beach).

As I understand tunnel mode, you have an IPsec security gateway in the
topology. Among other things, that means we won't readily have end-to-end
security, since you have security from the gateway to the device, not
necessarily the initiator to the device.

How do you suggest we achieve end-to-end security without transport mode a
MUST?

Specifically the topology I have in mind is I make a dedicated IP SAN, and
want ESP from the file servers to the storage boxes. They are all on the
same (GigE) subnet. How do I get this level of security (end-to-end) with
just tunnel mode?

Puzzled,

Bill