[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[saag] RE: IP Storage and IPsec encapsulation



At 5:47 PM -0500 11/28/01, Black_David@emc.com wrote:
>  > Since this is a host-host application layer
>>  protocol, that pretty much implies that you'd want
>>  to use transport mode, since you end up with the
>>  same IP src/dst addresses if you used tunnel mode,
>>  which sounds gratuitously redundant.
>
>The configuration of interest is:
>
>|--------------------------|    |---------------|
>| IP Storage without IPsec |----| IPsec gateway |-->
>|--------------------------|    |---------------|
>
>Where the link between the two boxes is not attached
>to anything else.  The only IPsec implementation on this
>end of the connection is in the gateway, and the only
>link in the above diagram that complies with the protocol
>requirements is the link on the right hand side of the
>gateway.  The gateway does not implement transport
>mode, hence the interest in tunnel mode.

David,

The box in the above diagram looks a lot like a BITW IPsec 
implementation, rather than an SG, and if so it could use transport 
mode and be compliant with 2401.  Only if the IP storage behind the 
IPsec device has multiple addresses would the IPsec device need to be 
viewed as an SG and thus implement tunnel mode only.

Steve


References: