[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [saag] RE: IP Storage and IPsec encapsulation

To: Black_David@emc.com
Subject: Re: [saag] RE: IP Storage and IPsec encapsulation
From: RJ Atkinson <rja@inet.org>
Date: Wed, 28 Nov 2001 19:43:36 -0500
Cc: ipsec@lists.tislabs.com, saag@mit.edu
In-Reply-To: <277DD60FB639D511AC0400B0D068B71E0293720E@CORPMX14>
Sender: owner-ipsec@lists.tislabs.com

At 17:47 28/11/01, Black_David@emc.com wrote:
 >The configuration of interest is:
 >
 >|--------------------------|    |---------------|
 >| IP Storage without IPsec |----| IPsec gateway |-->
 >|--------------------------|    |---------------|
 >
 >Where the link between the two boxes is not attached
 >to anything else.  The only IPsec implementation on this
 >end of the connection is in the gateway, and the only
 >link in the above diagram that complies with the protocol
 >requirements is the link on the right hand side of the
 >gateway.  The gateway does not implement transport
 >mode, hence the interest in tunnel mode.

IP Storage really really needs end-to-end security IMNVHO.

So I think the above is just a bogus implementer being lazy
rather than a valid security architecture.  The above can't
provide the kinds of end-to-end security properties that 
one needs for IP Storage applications.

The IETF went through a similar discussion in the NFS context,
concluding in that case that fine-grained end-to-end security
properties were needed.  The above can't even coarsely approximate
what NFS (which has lots of similarities to IP Storage otherwise)
was required to provide to be on the IETF standards-track.

Ran
rja@inet.org

References:

RE: IP Storage and IPsec encapsulation

From: Black_David@emc.com

Prev by Date: Re: CBC makes Implementations too Slow.
Next by Date: Re: On shared keys (was RE: SOI: identity protection and DOS)
Prev by thread: RE: IP Storage and IPsec encapsulation
Next by thread: RE: [saag] RE: IP Storage and IPsec encapsulation
Index(es):
- Main
- Thread