Re: ESP and AH used in tunnel mode by a Security Gateway

[Stephen Kent <kent@bbn.com>]

Ben,

>I'm guessing that since the encapsulation mode attribute is optional,
>the wildcard would be the absence of this attribute.  I think that it
>is a valuable thing to do on a Security Gateway which can also act as
>a Host implementation.  That way, communication between hosts behind
>the SG to the remote end is in tunnel mode and between the SG and the
>remote end is in transport mode.  This is the most efficient way to
>handle bandwidth in this case, since an unnecessary IP header is not
>added.

The Arch Doc states that the wildcard value in the SAD is applicable to
host implemnetations and reiterates that gateways must use tunnel mode.
(See section 4.4.3, pages 24-25, latest I-D.) Thus, the discussion of this
wildcard feature does not apply to the security gateway SA mode discussion
you're having here.

Steve

---

Follow-Ups:

• Re: ESP and AH used in tunnel mode by a Security Gateway
• From: Ben Rogers <ben@ascend.com>

References:

• RE: ESP and AH used in tunnel mode by a Security Gateway
• From: Bryan Gleeson <BGleeson@shastanets.com>
• Re: ESP and AH used in tunnel mode by a Security Gateway
• From: Ben Rogers <ben@ascend.com>

---

• Prev by Date: Re: Patent & licence for IPSec ?
• Next by Date: Re: ESP and AH used in tunnel mode by a Security Gateway
• Prev by thread: Re: ESP and AH used in tunnel mode by a Security Gateway
• Next by thread: Re: ESP and AH used in tunnel mode by a Security Gateway
• Index(es):
  • Main
  • Thread