[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ICMP Security Failures



>
>I'd like to expunge use of the terms "transport-mode" and
>"tunnel-mode" from IPSEC documents. Not because the modes they
>describe aren't useful, but because I really consider them completely
>orthogonal to the security mechanisms IPSEC provides.
>

Hrmm, I don't have any comments on the wisdom of this change, but...

Even if the words "transport-mode" and "tunnel-mode" are expunged,
I hope the documents will clearly explain this type of usage and its
importance somewhere.

Tunnelling is a very useful mode.  It's most useful for routers,
bump-in-the-stack encryptors, IP forwarding (e.g. IP ``remailers''),
and perhaps also firewalls...but I don't think the utility is limited
to those situations.

It's important that implementors realize they must support this mode
of operation.  The tunnel/transport modes aren't orthogonal, from
the implementation perspective: to support tunnel-mode, the IPSEC
modules must be re-entrant, and must deal with remembered security
state when processing IP headers.  Implementors probably won't think
to support all this if it's not described explicitly in the spec.