[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IP Storage and IPsec encapsulation



David,

I'm trying to make my way through over 1K messages (that's what I get 
for going on a week vacation when new IPsec IDs come out ...) and so 
I didn't read all of your messages in order.

Looking back at your original (?) message about use of tunnel vs. 
transport mode I agree with you that this should not be a problem for 
iSCSI use of IPsec, from a standards perspective. As you note, people 
need to be smart in configuring an external IPsec device (or set of 
devices) to ensure that, within their context, the desired security 
properties are achieved. Thus, merely because tunnel mode could be 
terminated at a point which would undermine security, in general, 
that does not mean that its use should be avoided in your spec, for 
the reasons you cite. My previous message also noted that the 
outboard IPsec device could be a bump in the wire, vs. an SG, which 
would allow both transport and tunnel mode, but this is a minor 
difference relative to your bugger question.

As you noted, it is a local security policy (and architecture) issue 
where the IPsec devices are placed and whether that placement 
provides adequate security.

Steve


References: