[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
a simple question, I hope. Why do we need tunnel mode?
I have read most of the IPSEC drafts now, and I am still not sure why
there is this distinction between 'tunnel mode' and 'transport mode'.
If you consider life before IPSEC, to connect two routers over a
foreign network requires some 'encapsulation'. If that foreign network
is the Internet, the encapsulation required is an IP header. If you
are connecting sections of your Intranet together, this IP
encapsulation constitutes and IP-IP 'tunnel'.
Assuming your IP tunnel is in place, the IP forwarding function in a
router perceives these IP-in-IP packets as sourced datagrams and then
applies 'transport mode' security to protect the packet (if required by
the SPD).
Is there room for breaking-out the tunnel requirement here? If I want a
router to support L2TP-over-IP and IP-IP tunnels, and I want both to be
secure, why can't I just use 'transport mode' security to do that?
So, could IPSEC always be node-to-node/transport-mode - even if the node
is a router.
I could see no protocol difference in the AH draft for not doing this.
On this topic, I'd like to use ESP and AH on the exchanges between my
routers and the architecture does not support that for 'tunnel mode' (in
the version I looked at any way). If I treat everything as
transport-mode as a true IPSEC BITS/BITL, I could do that.
One vote for untangling tunneling from IPSEC. What is probably missing
is a decent IP tunnel draft, to cover multi-protocol for in a standard
way!
Cheers, Steve.
Follow-Ups: