Re: some issues about IPSec

[Stephen Kent <kent@bbn.com>]

Jeff,

>O.K., so performance is the primary criteria (benefit) ?  Tunnel mode is
>*only* peer to peer, correct ?

Hosts MAY use tunnel mode for host-to-host communication.  Hosts MUST use
tunnel mode for communication with an SG, and SGs must always use tunnel
mode. Also, a message from Charlie Lynn provides severa; functional reasons
for transport mode over tunnel mode.

>So the primary issue would be gateway to gateway scenarious, in which
>all the ESP/AH formatting is done in the gateway only, and not be done
>by the clients whose clear text traffic is transformed by the
>gateway ?

As noted above, SGs always use tunnel mode, whether the other end is an
other SG or a host.

>But for remote access clients (isp dial-ups) I don't see performance as an
>issue, and don't see the benefit of transport mode outweighing the
>drawbacks, because.

I would think that dialup access is a context where the extra bandwidth IS
an issue and I see later traffic on that topic shows some other folks agree.

>1)  If a remote access client is doing peer to peer, the performance
>bottleneck isn't in the extra ESP/AH formatting, it's in the internet
>cloud (the isp hardware and routing process).

Not sure my experience agrees with that characterization.  It varies.

>2)  Probably 100% or close to it (correct me if I'm wrong please) will be
>running BIST implementations, and for this performance will be *better*
>using tunnel mode.

MS is planning to release a native implementation in NT 5, but for now BITS
is certainly the way to go for most machines.  Also, Sun has had earlier
IPsec versions in Solaris for a while.  As a Mac user, I'll take whatever I
can get!

>Given 1 and 2, it seems to be to the detriment of remote access clients to
>require tunnel mode (again, please correct me if I'm wrong).

A remote access client must implement tunnel mode in order to communuicate
with a SG, but not for host-to-host communication.  I thought your
complaint was about transport mode, right?

>However, since the specification does not preclude implementations from
>exclusively utilizing a tunnel mode security policy, I suppose the market
>place will determine the best solutions by the type of security gateways
>they implemented for remote access solutions.  It just seems like a waste
>of resources to require the implementation given the analysis contained
>herein for remote access BIST implementations.

Again, I'm confused a bit by your last comments, vs. earlier ones.  Tunnel
mode will be required for communication with an SG.  Frankly, I expect most
early use of IPsec will fall into two categories: SG-to-SG and remote user
to SG.  In both cases, tunnel mode is required, not transport. However,
we're been writing the specs not just for the more likely initial cases,
but for the general case, whenever we could figure out how to do that.

Steve

---

Follow-Ups:

• Re: some issues about IPSec
• From: "Elfed T. Weaver" <weaver@hydra.dra.hmg.gb>
• Re: some issues about IPSec
• From: Engineering <osgroup@laurent.osgroup.com>

References:

• Re: some issues about IPSec
• From: Stephen Kent <kent@bbn.com>
• Re: some issues about IPSec
• From: Engineering <osgroup@laurent.osgroup.com>

---

• Prev by Date: Re: some issues about IPSec
• Next by Date: locating a Security Gateway
• Prev by thread: Re: some issues about IPSec
• Next by thread: Re: some issues about IPSec
• Index(es):
  • Main
  • Thread