[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: IPsec gateway vs. host



> it just sounds like the iSCSI folks are 
> calling for a subset of IPsec functionality for their environment.

That's correct, with the caveat that iSCSI security is very much still
a work in progress.  From an IPsec architectural perspective, an
iSCSI implementation is clearly a "host", not a "gateway".

--David (IP Storage WG co-chair)

---------------------------------------------------
David L. Black, Senior Technologist
EMC Corporation, 42 South St., Hopkinton, MA  01748
+1 (508) 435-1000 x75140     FAX: +1 (508) 497-8500
black_david@emc.com       Mobile: +1 (978) 394-7754
---------------------------------------------------

> -----Original Message-----
> From:	Stephen Kent [SMTP:kent@bbn.com]
> Sent:	Friday, July 06, 2001 3:57 PM
> To:	saqibj@margallacomm.com
> Cc:	ipsec@lists.tislabs.com; Saqib Jang
> Subject:	Re: IPsec gateway vs. host
> 
> At 11:23 AM -0700 7/6/01, Saqib Jang wrote:
> >Is there a scenario where IPsec implemented in a NIC
> >or a HBA can be considered a "gateway" IPsec implementation.
> >I'm trying to reconcile the proposal for iSCSI devices to only
> >support tunnel-mode IPsec with the requirement in RFC 2401
> >that only IPsec "gateways" can support only tunnel-mode IPsec,
> >whereas "hosts' are required to support both tunnel and transport
> >mode IPsec.
> 
> depending on where the NIC is used, it might appropriately support SG 
> vs. host Ipsec modes. but, it just sounds like the iSCSCI folks are 
> calling for a subset of IPsec functionality for their environment. a 
> compliant IPsec host implementation could be used in this more 
> restrictive fashion.
> 
> Steve