[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: some issues about IPSec



> 
> >So the primary issue would be gateway to gateway scenarious, in which
> >all the ESP/AH formatting is done in the gateway only, and not be done
> >by the clients whose clear text traffic is transformed by the
> >gateway ?
> 
> As noted above, SGs always use tunnel mode, whether the other end is an
> other SG or a host.
> 
Thanks for the clarification.

> >But for remote access clients (isp dial-ups) I don't see performance as an
> >issue, and don't see the benefit of transport mode outweighing the
> >drawbacks, because.
> 
> I would think that dialup access is a context where the extra bandwidth IS
> an issue and I see later traffic on that topic shows some other folks agree.
> 

O.K., thanks for the input.  We're going to go ahead and special case
transport mode so our product is IPSEC compliant, even though hardly
anyone will likely use that feature based on customer feedback.

> 
> >However, since the specification does not preclude implementations from
> >exclusively utilizing a tunnel mode security policy, I suppose the market
> >place will determine the best solutions by the type of security gateways
> >they implemented for remote access solutions.  It just seems like a waste
> >of resources to require the implementation given the analysis contained
> >herein for remote access BIST implementations.
> 
> Again, I'm confused a bit by your last comments, vs. earlier ones.  Tunnel
> mode will be required for communication with an SG.  


This was what I needed clarification, as stated above.

>Frankly, I expect most
> early use of IPsec will fall into two categories: SG-to-SG and remote user
> to SG.  In both cases, tunnel mode is required, not transport. However,
> we're been writing the specs not just for the more likely initial cases,
> but for the general case, whenever we could figure out how to do that.
> 

O.K., we'll comply, even though it's low on our customers priority list.

Sincerey,
Jeffrey Goodwin

**  Ashley Laurent,Inc. **  Software Development  **     Consulting          **
*                                   *                                         *
* 707 West Avenue, Suite 201        *     voice: 512-322-0676                 *
* Austin, Texas 78701               *     fax  : 512-322-0680                 *
*                      web: http://www.osgroup.com                            * 
* Microsoft Solution Provider       *  	  Complete Systems Design/Development *
* Novell Professional Developer     *	  Systems Software/Device Drivers     *



References: