RE: IP Storage and IPsec encapsulation

[Stephen Kent <kent@bbn.com>]

At 6:39 PM -0800 11/29/01, William Dixon wrote:
>Steve, Ran, this seems to again (L2TP UDP 1701 being the first) require
>a transport layer interface definition for using IPSec security - in the
>iSCSI case: how to use IKE and IPSec to secure a TCP src port, dst port
>connection, deal with the binding of the authentication credential to
>the traffic in the SA, allow/disallow iSCSI awareness of IKE SA
>credentials, and IKE QM/IPSec SA state, and deal with the programmatic
>policy addition to an otherwise admin defined SPD. 
>
>Practically, shipping products that use IKE and IPSec in either mode for
>TCP connection security means a well defined "policy" so that client
>(iSCSI initiator) and server (iSCSI target) side products interoperate
>with just credentials configured properly, ala web-based usage of
SSL/TLS.

Wiliam,

I apologize that your message got buried in my inbox for about 65 weeks.

I don't fully understand the issues you are raising here, perhaps 
because of your extremely concise exposition in the first paragraph 
:-).

IPsec already knows how to manage SAs at the granularity of TCP port 
pairs. IPsec does not say where the credentials used by IKE come 
from; a TLI could provide them. you have not made clear what features 
of the IPsec specs preclude what you want to do. of course, I'm more 
interested in that what needs to be accomplished, and why, rather 
that how you would like to accomplish it.

BTW, it's IPsec, not IPSec.

Steve