Re: does iSCSI layer need to check IPsec policy? I hope not.

On Tue, Feb 04, 2003 at 05:06:20PM -0700, vince_cavanna <at> agilent.com wrote:

 > How does the iSCSI layer know that the session is protected by IPsec?
 > This is not addressed in the iSCSI spec. In theory only the management

...it's not really address in the pfkey API spec, either (there are a lot
of things about pfkey that are annoying   But that's beside the point.

This basically falls into the realm of "implementation detail", and one
would hope that if an administrator wanted to make sure that IPsec were
use, they would configure the policy such that all non-protected packes
were rejected at the IPsec layer.

Presumably, if iSCSI wanted a certain IPsec policy, then your management
software would handle this.  Conceptually, it's not all that different from
the fact that iSCSI requires you to have an IP address, yet how that IP
address is obtained is outside of the scope of iSCSI 

--

-- 
        -- Jason R. Thorpe <thorpej <at> wasabisystems.com>