[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: clarification: end-to-end tunnel carries ALL traffic

To: William Dixon <wdixon@microsoft.com>
Subject: Re: clarification: end-to-end tunnel carries ALL traffic
From: Stephen Kent <kent@bbn.com>
Date: Fri, 31 Jul 1998 18:27:41 -0400
Cc: "'ipsec@tis.com'" <ipsec@tis.com>
In-Reply-To: <ACC49BC4931BD211B64F00805F15808901433D4E@RED-MSG-07>
Sender: owner-ipsec@ex.tis.com

William,

>A quick clarification on the current architecture doc regarding what is
>required to be compliant for end-to-end host tunneling:
>
>MUST: end-to-end host tunnel SA covers ALL transport IP between the two
>hosts
>NOT a MUST: end-to-end host tunnel SA per selector - for example one tunnel
>to carry all UDP, another for all TCP
>
>If implementations supported the latter, then some others might not
>interoperate if they only support the former.

The former capability is NOT compliant if that is the ONLY granularity at
which you can specify a tunnel between two hosts, two security gateways, or
between a host and a security gateway.  A compliant implementation MUST
support a full range of selectors for both transport and tunnel mode SAs.
Use of the transport protocol selectors would allow UPD vs. TCP SA
separation, as in your second example.  You must also allow for per-port
selectors, so that Telnet traffic is separate from HTTP or SMTP, for
example.

Steve

References:

clarification: end-to-end tunnel carries ALL traffic

From: William Dixon <wdixon@microsoft.com>

Prev by Date: clarification: end-to-end tunnel carries ALL traffic
Next by Date: Re: A small question about the ESP proposals.
Prev by thread: clarification: end-to-end tunnel carries ALL traffic
Index(es):
- Main
- Thread