[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: IP Storage and IPsec encapsulation
At 6:39 PM -0800 11/29/01, William Dixon wrote:
>Steve, Ran, this seems to again (L2TP UDP 1701 being the first) require
>a transport layer interface definition for using IPSec security - in the
>iSCSI case: how to use IKE and IPSec to secure a TCP src port, dst port
>connection, deal with the binding of the authentication credential to
>the traffic in the SA, allow/disallow iSCSI awareness of IKE SA
>credentials, and IKE QM/IPSec SA state, and deal with the programmatic
>policy addition to an otherwise admin defined SPD.
>
>Practically, shipping products that use IKE and IPSec in either mode for
>TCP connection security means a well defined "policy" so that client
>(iSCSI initiator) and server (iSCSI target) side products interoperate
>with just credentials configured properly, ala web-based usage of
SSL/TLS.
Wiliam,
I apologize that your message got buried in my inbox for about 65 weeks.
I don't fully understand the issues you are raising here, perhaps
because of your extremely concise exposition in the first paragraph
:-).
IPsec already knows how to manage SAs at the granularity of TCP port
pairs. IPsec does not say where the credentials used by IKE come
from; a TLI could provide them. you have not made clear what features
of the IPsec specs preclude what you want to do. of course, I'm more
interested in that what needs to be accomplished, and why, rather
that how you would like to accomplish it.
BTW, it's IPsec, not IPSec.
Steve