[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: a simple question, I hope. Why do we need tunnel mode?

To: Stephen Waters <Stephen.Waters@digital.com>
Subject: Re: a simple question, I hope. Why do we need tunnel mode?
From: Stephen Kent <kent@bbn.com>
Date: Thu, 9 Apr 1998 14:27:56 -0400
Cc: ipsec@tis.com, Mark.Gillott@digital.com, Stephen Waters <Stephen.Waters@digital.com>, Tom Kiely <kiely@marvin.reo.dec.com>
In-Reply-To: <250F9C8DEB9ED011A14D08002BE4F64C014AE00E@wade.reo.dec.com>
Sender: owner-ipsec@ex.tis.com

Steve,

If an SA is tunnel mode, it has an interior IP header which is checked
against the selectors associated with that SA, whereas the outer IP header
is discarded. If an SA is transport mode, the outer IP header is checked
against these selectors and is not discarded.  Thus the two modes impose
different processing requirements on received traffic. It is a security
requirement that a receiver be able top tell what processing is expected of
each packet received on an SA. If one transports other than IP in an IPsec
environment, there is still a requirement to use tunnel mode and to have an
inner IP header, above which one might employ a GRE header to encapsulate
the foreign protocol.  We have not specified how non-IP traffic is to be
handled, but what I described would be consistent with the architectrure as
it stands.

Steve

References:

a simple question, I hope. Why do we need tunnel mode?

From: Stephen Waters <Stephen.Waters@digital.com>

Prev by Date: Re: Last Call for IPSEC
Next by Date: FW: Key Recovery
Prev by thread: Re: a simple question, I hope. Why do we need tunnel mode?
Next by thread: Re: a simple question, I hope. Why do we need tunnel mode?
Index(es):
- Main
- Thread