[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Comments on ipsec-arch-sec-01.txt

To: ipsec@tis.com
Subject: Re: Comments on ipsec-arch-sec-01.txt
From: Dan.McDonald@Eng.Sun.Com (Dan McDonald)
Date: Tue, 23 Sep 1997 13:02:14 -0700 (PDT)
In-Reply-To: <199709231349.GAA28157@pita.cisco.com> from "Derrell Piper" at Sep 23, 97 06:49:44 am
Sender: owner-ipsec@ex.tis.com

> Many of the interoperable ISAKMP/Oakley implementations here at the ANX are
> using the encapsulation mode attribute to negotiate tunnel/transport mode.
> Though not mandated by the current IPSEC DOI, most of us have implemented
> this attribute and find it quite useful to know a priori whether we're
> negotiating transport or tunnel mode.  You'll note that the DOI does *not*
> mandate this attribute precisely because you (and others) raised objections
> to doing so way back when.  However there are many of us who find this
> attribute useful and I doubt there is concensus to remove it from the DOI.

I was never questioning its value in the DOI.  I imagine it could be quite
useful for all sorts of policy decisions during key mgmt.  I do appreciate
that the DOI allows for "both" when it is unspecified.  I like this attribute
in the DOI because of what it enables w.r.t. policy.

I was questioning the whether or not it belonged as a required SA attribute
in the IPsec _architecture_ document.  I've always thought of the case where
two IPsec routers use the same SA to protect traffic between themselves in
transport mode with the same SAs they use to protect packets they're
forwarding in tunnel mode.

Just to be clear.

Dan

References:

Re: Comments on ipsec-arch-sec-01.txt

From: Derrell Piper <piper@cisco.com>

Prev by Date: performance comparison kernel patches available
Next by Date: Experimental SA attributes
Prev by thread: Re: Comments on ipsec-arch-sec-01.txt
Next by thread: Re: Comments on ipsec-arch-sec-01.txt
Index(es):
- Main
- Thread