[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: FW: tunnel mode

To: "'Daniel Harkins'" <dharkins@cisco.com>
Subject: RE: FW: tunnel mode
From: Roy Pereira <rpereira@TimeStep.com>
Date: Wed, 18 Dec 1996 14:34:55 -0500
Cc: "'IPSEC Mailing List'" <ipsec@ex.tis.com>, "'isakmp-oakley'" <isakmp-oakley@cisco.com>
Sender: owner-ipsec@ex.tis.com

The reason that Tunnel/Transport attributes are required are due to the
fact that in our policy we may elect to dictate to our peer that they
must do tunnel mode (or transport mode).  Then our peer would not have
the ability to use its local policy to determine which mode it uses.

I beleive that some language stating that if no KEP tunnel attributes
are present in the SA, then it is up to the local policy to decide which
mode to use.  But if some tunnel mode attributes are present in the SA,
then the two communicating parties MUST use that mode when communicating
between themselfs.

i.e. If ISAKMP/Oakley contains tunnel mode attributes in the the aggreed
proposal, then both parties must utilize those attributes, if not then
then it is up to local policy.

>----------
>From: 	Daniel Harkins[SMTP:dharkins@cisco.com]
>Sent: 	Tuesday, December 17, 1996 11:11 PM
>To: 	Roy Pereira
>Cc: 	'IPSEC Mailing List'; 'isakmp-oakley'
>Subject: 	Re: FW: tunnel mode 
>
>I'm not sure, but I believe this was Derrell Piper responding to Roy Pereira:
>> >Derrell, how do we do DES-HMAC-MD5/SHA1 in tunnel mode?  Your 
>> >current draft doesn't allow for this.  Am I missing something?  It also
>> >doesn't include the newer 3DES-HMAC-MD5/SHA1.
>> 
>> Except for the old-style ESP, you can't in the current incarnation of 
>> the drafts.
>> 
>> I made a note during the ipsec wg that I needed to add Tunnel and 
>> Transport SA Attributes.  They'll be in the next version of the draft,
>>along 
>> with a proscribed set of defaults for the existing attributes.
>> 
>> Suggestions on what those defaults should be are most welcome...
>
>  I don't see why Tunnel or Transport attributes need to be negotiated.
>There shouldn't be anything wrong with using a single SA for both provided
>there were no PFS restrictions on the SA.
>  This seems to me to be an issue of the particular IPsec implementation's
>policy engine, not of SA negotiation. If some packet needs security to go 
>through an encrypting router, and a SA exists to that router then the policy 
>defined in that SA is applied in tunnel mode. If some later packet needs to 
>go to the router itself (not through it) why not just apply the SA in 
>transport mode?
>
>  Dan.
>
>

Prev by Date: Re: ISAKMP DOI Question (General, Not IP Specific)
Next by Date: Re: ISAKMP DOI Question (General, Not IP Specific)
Prev by thread: Re: key life attributes (Was: Re: FW: tunnel mode)
Next by thread: Re: ISAKMP DOI Question (General, Not IP Specific)
Index(es):
- Main
- Thread