Table of Contents
Advertisement
•
Kerberos-based authentication is not supported.
•
Multiple Root Certificate Authorities (CA) are not supported.
•
Certificate Revocation Lists (CRL) are not supported.
•
Only users with group administrator privileges can configure IPsec.
•
Perfect Forward Secrecy (PFS) is not supported.
•
Encrypted private keys are not supported for X.509 format certificates.
•
Dell recommends using a minimum of 3600 seconds and 10GB lifetime rekey values.
•
IKE mobillity is not supported
•
NAT Traversal (NAT-T) is not supported. Dell recommends against placing a firewall that performs
address translation between the PS Series group and its IPsec peers.
•
If you use the Windows default IPsec lifetime rekey values, the high rekey rates may be disruptive
for protected iSCSI traffic. Values in the range of 1GB to 100GB, depending on iSCSI traffic, are
recommended instead.
6.3.9
Performance considerations
The performance impact of IPsec varies by host and network configuration, and increases with the
number of IPsec-protected iSCSI connections to the group. Even if IPsec is only used to protect traffic
between group members, I/O performance is still affected. Based on these factors, you can expect
that using IPsec may degrade I/O performance.
Although PS Series group members use hardware to accelerate cryptographic operations, many
initiators perform these operations in software, which can cause a further reduction in the speed of
communications between iSCSI initiators and the group.
6.3.10
Host Connectivity Considerations
Enabling or disabling IPsec for the group using the IPsec enable and IPsec disable commands might
disrupt host connectivity to the group for several minutes. To prevent unplanned outages, IPsec
should be enabled or disabled during a planned maintenance window when there are no active iSCSI
connections to any volumes.
Consult the documentation for your host operating systems, HBAs, and iSCSI initiators to verify that
they support IPsec. There might also be known issues and idiosyncrasies with the initiators' IPsec
support that require additional planning or configuration.
When configuring IPsec with Windows hosts, note the following:
IPsec traffic is not always handled correctly if the IPsec policy is configured to protect only a subset of
traffic between the host and the group. For example, if the IPsec policy protects only iSCSI traffic on
port 3260, the Windows host may not perform reliably when connecting to the group. As a
workaround, IPsec policies should apply to all traffic passing between the group and Windows
systems. Microsoft KB article 2665206 discusses this in greater detail.
IPsec must be configured using the Windows Firewall with Advanced Security. Do not use the IPsec
option in the Microsoft iSCSI initiator, which does not have the capability to fully configure an IPsec
configuration between the host and the group. Further, if you attempt to configure an IPsec
connection using the iSCSI initiator, the system might not allow you to remove the partial
configuration and replace it with a complete configuration created with Windows Firewall.
IPsec policies defined using the Local Security Policy Manager are not supported.
March 2013
Dell EqualLogic Configuration Guide v14.1
6-59
Hide quick links:
Advertisement
Table of Contents
