On Tue, 15 Feb 2005 10:04:53 +0100
Ignatios Souvatzis <ignatios@cs.uni-bonn.de> wrote:

> But if iSCSI is seen as a wide area transport, don't forget the cost
> of either secured seperate cabling, or IPSec at both ends...
> 
> At least, with iSCSI there is this option. With ATA over raw Ethernet,
> I'm not aware of such a solution (unless you count using an encrypted
> disk layer like cgd on top of that, which doesn't solve all the 
> problems).

I guess that an abstraction to an interface rather than for transfer
over specific hardware would allow to use say, tun(4) with custom stream
processing, but hardware medium specific optimizations would most
probably be lost (and it's yet again another software layer requireing
further processing)...  And no longer AoE

tun(4) use also implies that some userspace daemon would need to handle
the data, while such software doesn't actually have direct access to
low-level hardware resources, i.e. to route packets directly through
ethernet.  Even if the required access existed for userland, this would
mean alot of kernel->userland<-kernel transactions :)

So yes for AoE to be secure, since using CGD wouldn't really suit in
this system (all access patterns would be available for analysis),
cryptographic layer would need to be part of the protocol design and
done in kernelspace ideally.  For trusted low range wireing, it would be
an interesting alternative to USB storage, however.  I can't envision it
being used in untrustable environments (so excluding its use in most
decently sized ethernet networks, or long range communications,
definitely).

Matt