RE: (IPng 5759) Re: [Karen Seo: Thomas Narten -- clarification, e tc.]

[Stephen Kent <kent@bbn.com>]

Baiju,

>Lets say that there is a large server
>on which it does not make sense to implement
>IPSEC. In that case, one would put a small
>dedicated device to do IPSEC transport
>mode for all the intranet use.
>
>It is not a gateway. The dedicated box
>is implementing IPSEC function on
>behalf of a single server (could be a
>coprocessor for a mainframe system for
>all I know).
>
>This I hope is legal and will suffer from the
>problems being discussed.

This sounds like the moral equivalent of a BITW IPsec implementation, so to
that extent it is already covered.  However, as was just noted, for IPv6
this could prove even more complicated in that this device ought to be
aware of the same set of extension headers as the (single) host it serves.
That's just another example of the added complexity that arises from
non-native implementations.  That's not to say it can't be done, but it
also does not suggest that we ought to modify the spec to make it easier
for such implementations.  After all, such implementations already have to
deal with more complex fragmentation problems than native stack
implementations.

Steve

---

References:

• RE: (IPng 5759) Re: [Karen Seo: Thomas Narten -- clarification, etc.]
• From: "Patel, Baiju V" <baiju.v.patel@intel.com>

---

• Prev by Date: Re: (IPng 5759) Re: [Karen Seo: Thomas Narten -- clarification,etc.]
• Next by Date: RE: IPSEC standardization status
• Prev by thread: RE: (IPng 5759) Re: [Karen Seo: Thomas Narten -- clarification, etc.]
• Next by thread: Re: (IPng 5744) Re: [Karen Seo: Thomas Narten -- clarification, etc.]
• Index(es):
  • Main
  • Thread