[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: a simple question, I hope. Why do we need tunnel mode?

To: Stephen.Waters@digital.com (Stephen Waters)
Subject: Re: a simple question, I hope. Why do we need tunnel mode?
From: Pyda Srisuresh <suresh@livingston.com>
Date: Thu, 9 Apr 1998 10:02:58 -0700 (PDT)
Cc: ipsec@tis.com, Mark.Gillott@digital.com, Stephen.Waters@digital.com, kiely@marvin.reo.dec.com
In-Reply-To: <250F9C8DEB9ED011A14D08002BE4F64C014AE00E@wade.reo.dec.com> from "Stephen Waters" at Apr 9, 98 11:51:58 am
Sender: owner-ipsec@ex.tis.com


My thinking similar. 

IP-in-IP mode of transport is a solution to get around enterprise
firewall scrutiny. However, IPSec is not limited to this type of
transport alone. Specifically, L2TP tunnels are equally good candidates
for IPSec in the remote access realm of security solutions. So, I dont 
see a need to categorize "IP-in-IP Tunnel Mode" as a distinct type of 
security. Transport mode security does cover the Ip-in-IP tunnel mode,
as a special case.

cheers,
suresh

> 
> 
> I have read most of the IPSEC drafts now, and I am still not sure why
> there is this distinction between 'tunnel mode' and 'transport mode'.
> 
> If you consider life before IPSEC,  to connect two routers over a
> foreign network requires some 'encapsulation'.  If that foreign network
> is the Internet,  the encapsulation required is an IP header.  If you
> are connecting sections of your Intranet together,  this IP
> encapsulation constitutes and IP-IP 'tunnel'.
> 
> Assuming your IP tunnel is in place,  the IP forwarding function in a
> router perceives these IP-in-IP packets as sourced datagrams and then
> applies 'transport mode' security to protect the packet (if required by
> the SPD).
> 
> Is there room for breaking-out the tunnel requirement here?  If I want a
> router to support L2TP-over-IP and IP-IP tunnels, and I want both to be
> secure,  why can't I just use 'transport mode' security to do that?
> 
> So, could IPSEC always be node-to-node/transport-mode - even if the node
> is a router.  
> 
> I could see no protocol difference in the AH draft for not doing this.  
> 
> On this topic,  I'd like to use ESP and AH on the exchanges between my
> routers and the architecture does not support that for 'tunnel mode' (in
> the version I looked at any way).  If I treat everything as
> transport-mode as a true IPSEC BITS/BITL, I could do that.
> 
> One vote for untangling tunneling from IPSEC. What is probably missing
> is a decent IP tunnel draft, to cover multi-protocol for in a standard
> way!
> 
> Cheers, Steve.  
>

References:

a simple question, I hope. Why do we need tunnel mode?

From: Stephen Waters <Stephen.Waters@digital.com>

Prev by Date: IPsec re-defining IP-in-IP?
Next by Date: Re: Last Call for IPSEC
Prev by thread: Re: a simple question, I hope. Why do we need tunnel mode?
Next by thread: Re: a simple question, I hope. Why do we need tunnel mode?
Index(es):
- Main
- Thread