RE: IPSEC target and transport mode

To: wrstuden@wasabisystems.com
Subject: RE: IPSEC target and transport mode
From: Black_David@emc.com
Date: Wed, 27 Mar 2002 13:16:31 -0500
Cc: ips@ece.cmu.edu
Content-Type: text/plain;charset="iso-8859-1"
Sender: owner-ips@ece.cmu.edu

Bill,

> As I understand tunnel mode, you have an IPsec security gateway in the
> topology. Among other things, that means we won't readily have end-to-end
> security, since you have security from the gateway to the device, not
> necessarily the initiator to the device.

The gateway is possible, but not necessary.  RFC 2401, section 4.1 says:

	Two hosts MAY establish a tunnel mode SA between themselves.

Hence the assertion that end-to-end security is not possible in tunnel
mode is incorrect.  OTOH, if someone chooses to use a separate security
gateway packaged with their IP Storage implementation, they
can only claim compliance with the security requirements of the
appropriate IP Storage RFC(s) on the secured side of the gateway -
they have to explain to their customer that there is no IPsec security
on the (presumably private) link between the IP Storage system and
the gateway.

> How do you suggest we achieve end-to-end security without 
> transport mode a MUST?

IPsec security policy (including use and acceptance of ID payloads)
and decisions about which IKE authentication material is installed
in what systems and is accepted/required by what other systems.
Forcing use of transport mode is a poor substitute for putting a
proper security policy in place.  Ensuring that only the ends of
interest have the material required to set up the end-to-end SA is
a good idea.

> Specifically the topology I have in mind is I make a dedicated IP SAN, and
> want ESP from the file servers to the storage boxes. They are all on the
> same (GigE) subnet. How do I get this level of security (end-to-end) with
> just tunnel mode?

Negotiate what you want and make sure that no security gateway between the
file servers and storage boxes has the IKE authentication material that
the file servers and storage boxes will require.  Negotiation of the
encapsulation mode (you can still do transport if you want to, it's just
not REQUIRED) is supported by SA attribute 4 in Section 4.5 of RFC 2407
(yes, it's well hidden ...).

Thanks,
--David
---------------------------------------------------
David L. Black, Senior Technologist
EMC Corporation, 42 South St., Hopkinton, MA  01748
+1 (508) 249-6449 *NEW*      FAX: +1 (508) 497-8500
black_david@emc.com         Cell: +1 (978) 394-7754
---------------------------------------------------

Follow-Ups:
- RE: IPSEC target and transport mode
  - From: Bill Studenmund <wrstuden@wasabisystems.com>

Prev by Date: Re: IPSEC target and transport mode
Next by Date: RE: iSCSI: padding on intermediate sequences
Prev by thread: Re: IPSEC target and transport mode
Next by thread: RE: IPSEC target and transport mode
Index(es):
- Date
- Thread

Home

Last updated: Wed Apr 03 12:18:23 2002
9446 messages in chronological order