[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Comments on ipsec-arch-sec-01.txt
> Requiring that the tunnel/transport-mode distinction be part of the SA
> will break several existing implementations that my employer is using.
> It also goes against the grain of not changing the specification in a way
> that makes existing conforming implementations non-conforming. I would
> also request that it be deleted as a mandatory or recommended SA attribute.
Many of the interoperable ISAKMP/Oakley implementations here at the ANX are
using the encapsulation mode attribute to negotiate tunnel/transport mode.
Though not mandated by the current IPSEC DOI, most of us have implemented
this attribute and find it quite useful to know a priori whether we're
negotiating transport or tunnel mode. You'll note that the DOI does *not*
mandate this attribute precisely because you (and others) raised objections
to doing so way back when. However there are many of us who find this
attribute useful and I doubt there is concensus to remove it from the DOI.
Derrell
Follow-Ups:
References: