[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Re[2]: IPSEC document reading party!
Derrell D. Piper writes:
> >What John was trying to say, I think, is that tunneled ESP without
> >encryption and _integrity_ would be better served by just using
> >IP-in-IP.
>
> I'd agree with that. But that wasn't clear from John's message. I'll add a
> statement to this regard in the next rev of the DOI.
I'm not certain that this makes much sense. If we negotiate ESP, then I
would expect packets to contain a true ESP payload. If we want to be
able to negotiate a simple IP-in-IP tunnel, then there should be another
mechanism for doing so. However, I'd claim that this does not belong in
ISAKMP, because there would be an ambiguity in how to manage the SA's
(from the IPsec perspective), and ISAKMP never seems to have been
intended to be used as a tunnel management protocol.
If someone wants to negotiate an IP-in-IP tunnel, they should find
another method for doing so. I think that the DOI already makes ISAKMP
look too much like a tunnel management protocol, making it difficult to
use for pure SA and Key Management. If we had more time, I would
suggest jettisoning all tunnel management to another protocol, which
cooperated with ISAKMP to negotiate the tunnel-policy/tunnel-parameters
pair.
Please do not make this change.
ben
>
> Derrell
>
> >-----Original Message-----
> >From: svakil@usr.com [SMTP:svakil@usr.com]
> >Sent: Saturday, December 13, 1997 1:49 PM
> >To: gordo@telsur.cl; tytso@MIT.EDU; John Ioannidis
> >Cc: ipsec@tis.com
> >Subject: Re[2]: IPSEC document reading party!
> >
> > ESP tunneling without encryption cannot be substituted with IP-in-IP
> > tunneling. It provides authentication and integrity services to the
> > encapsulated packet. Note that this is different from AH which will
Follow-Ups:
References: