does iSCSI layer need to check IPsec policy? I hope not.

To: ips@ece.cmu.edu
Subject: does iSCSI layer need to check IPsec policy? I hope not.
From: vince_cavanna@agilent.com
Date: Tue, 4 Feb 2003 17:06:20 -0700
Cc: vince_cavanna@agilent.com
Content-Type: text/plain;charset="iso-8859-1"
Sender: owner-ips@ece.cmu.edu

I have some difficulty understanding the intent in section 8.3.3.

Section 8.3.3, Policy, Security Associations, and Cryptographic Key Management says "The method used by the initiator to determine whether the target should be connected using IPsec is regarded as an issue of IPsec policy administration, and thus not defined in the iSCSI standard. If an iSCSI target is discovered via a SendTargets request in a *discovery* session not using IPsec, the initiator should assume that it does not need IPsec to establish a [normal or operational] session to that target. If an iSCSI target is discovered using a discovery session that does use IPsec, the initiator SHOULD use IPsec when establishing a [normal] session to that target."

How does the iSCSI layer know that the session is protected by IPsec? This is not addressed in the iSCSI spec. In theory only the management application that configured the policy for this machine should care about IPsec. Why does iSCSI need to know? How *does* an initiator use IPsec when establishing a session - either discovery or operational? If the discovery session was protected by IPsec (because the policy on the machine was configured to protect a certain category of traffic which encompasses the discovery session) then it is the responsibility of the initiator to make sure the policy is such that the operational session is also protected by IPsec? This seems very strange to me. It seems that the initiator has to make sure the policy was defined consistently???

To summarize, my basic conceptual problem is this:

Policy is what determines the traffic that is protected by IPsec. Policy is configured outside of iSCSI. Does iSCSI have the responsibility to check that the policy is correct? If such is not the case then I don't think iSCSI needs to even be aware that some or all of its traffic is being protected by IPsec. Both the iSCSI spec and the IPS-Security draft seem vague in this matter.

Clarifications will be appreciated. Thanks.

Vince Cavanna
Agilent Technologies

Follow-Ups:
- Re: does iSCSI layer need to check IPsec policy? I hope not.
  - From: Jason R Thorpe <thorpej@wasabisystems.com>

Prev by Date: RE: iSCSI: different question about terminated tasks
Next by Date: Re: does iSCSI layer need to check IPsec policy? I hope not.
Prev by thread: I-D ACTION:draft-ietf-ips-isns-17.txt
Next by thread: Re: does iSCSI layer need to check IPsec policy? I hope not.
Index(es):
- Date
- Thread

Home

Last updated: Tue Feb 04 23:19:02 2003
12286 messages in chronological order