[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: some issues about IPSec
> Jeff,
>
> Transport mode has less overhead than tunnel mode, because there is no need
> for a second IP header, and that by itself makes it attractive in many
> instances.
>
O.K., so performance is the primary criteria (benefit) ? Tunnel mode is
*only* peer to peer, correct ?
So the primary issue would be gateway to gateway scenarious, in which
all the ESP/AH formatting is done in the gateway only, and not be done
by the clients whose clear text traffic is transformed by the
gateway ?
But for remote access clients (isp dial-ups) I don't see performance as an
issue, and don't see the benefit of transport mode outweighing the
drawbacks, because.
1) If a remote access client is doing peer to peer, the performance
bottleneck isn't in the extra ESP/AH formatting, it's in the internet
cloud (the isp hardware and routing process).
2) Probably 100% or close to it (correct me if I'm wrong please) will be
running BIST implementations, and for this performance will be *better*
using tunnel mode.
Given 1 and 2, it seems to be to the detriment of remote access clients to
require tunnel mode (again, please correct me if I'm wrong).
However, since the specification does not preclude implementations from
exclusively utilizing a tunnel mode security policy, I suppose the market
place will determine the best solutions by the type of security gateways
they implemented for remote access solutions. It just seems like a waste
of resources to require the implementation given the analysis contained
herein for remote access BIST implementations.
Sincerely,
Jeffrey Goodwin
** Ashley Laurent,Inc. ** Software Development ** Consulting **
* * *
* 707 West Avenue, Suite 201 * voice: 512-322-0676 *
* Austin, Texas 78701 * fax : 512-322-0680 *
* web: http://www.osgroup.com *
* Microsoft Solution Provider * Complete Systems Design/Development *
* Novell Professional Developer * Systems Software/Device Drivers *
Follow-Ups:
References: