5 Feb 2003 01:06
does iSCSI layer need to check IPsec policy? I hope not.
<vince_cavanna <at> agilent.com>
2003-02-05 00:06:20 GMT
2003-02-05 00:06:20 GMT
I have some difficulty understanding the intent in section 8.3.3. Section 8.3.3, Policy, Security Associations, and Cryptographic Key Management says "The method used by the initiator to determine whether the target should be connected using IPsec is regarded as an issue of IPsec policy administration, and thus not defined in the iSCSI standard. If an iSCSI target is discovered via a SendTargets request in a *discovery* session not using IPsec, the initiator should assume that it does not need IPsec to establish a [normal or operational] session to that target. If an iSCSI target is discovered using a discovery session that does use IPsec, the initiator SHOULD use IPsec when establishing a [normal] session to that target." How does the iSCSI layer know that the session is protected by IPsec? This is not addressed in the iSCSI spec. In theory only the management application that configured the policy for this machine should care about IPsec. Why does iSCSI need to know? How *does* an initiator use IPsec when establishing a session - either discovery or operational? If the discovery session was protected by IPsec (because the policy on the machine was configured to protect a certain category of traffic which encompasses the discovery session) then it is the responsibility of the initiator to make sure the policy is such that the operational session is also protected by IPsec? This seems very strange to me. It seems that the initiator has to make sure the policy was defined consistently??? To summarize, my basic conceptual problem is this: Policy is what determines the traffic that is protected by IPsec. Policy is configured outside of iSCSI. Does iSCSI have the responsibility to check that the policy is correct? If such is not the case then I don't think iSCSI needs to even be aware that some or all of its traffic is being protected by IPsec. Both the iSCSI spec and the IPS-Security draft seem vague in this matter. Clarifications will be appreciated. Thanks. Vince Cavanna Agilent Technologies
RSS Feed