[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IBM VPN Bakeoff Issues

To: Daniel Harkins <dharkins@cisco.com>
Subject: Re: IBM VPN Bakeoff Issues
From: "Scott G. Kelly" <skelly@redcreek.com>
Date: Fri, 06 Nov 1998 17:18:49 -0800
CC: Richard Draves <richdr@microsoft.com>, "'Stephen Waters'" <Stephen.Waters@digital.com>, "'IPsec'" <ipsec@tis.com>
Organization: RedCreek Communications
References: <199811061718.JAA02282@chip.cisco.com>
Sender: owner-ipsec@ex.tis.com

Hi Dan,

Daniel Harkins wrote:
> 
>   This has been discussed before. There was a whole "ESP and AH used
> in tunnel mode by a Security Gateway" thread back in July. In that
> thread I noted that we were discussing something that was discussed
> back in May when the issue was ESP and IPPCP.
> 
>   What was agreed to back then was that for a _security gateway_, any
> transit traffic MUST be in tunnel mode so that in IP AH ESP IP <foo>
> both AH and ESP would be in tunnel mode. Steve Kent noted that this
> is not required by the Arch Doc (but I guess it's not forbidden
> either). So if that's the way a security gateway negotiates it why
> would we want to do something different for an end host? Aren't these
> things complicated enough?

I *just* received this one, else I would have addressed it in my last
post on this topic. I guess I understand your issue here: the
architecture doc says that SGWs must use tunnel mode unless they are
terminating the flow, and you don't think the SGW is doing that. I think
it is. It's terminating the ESP tunnel, so it's okay to use transport
mode AH on that flow. 

This cuts across the earlier thread here about whether ESP/AH are
suitable protocols for the 'transport protocol' selector designation. I
guess at this point I'd argue that ESP *is* a transport protocol, while
AH might more likely be simply an IP extension header, like IP options.
If we grant that ESP is a transport protocol, then it follows that the
SGWs are terminating it, and that AH in transport mode is acceptable in
this case.

I would argue that the adjacency of the AH/ESP headers precludes the
possiblity that both are in tunnel mode, since by our own definitions,
tunnel mode requires encapsulation of the original datagram, while
tranport mode consists of header insertion between the original header
and the data. 

I recognize that this is a bit of a twisted web here, but I think you're
asking that we agree on a convention which is unnecessary. Waddayathink?

Scott

Follow-Ups:

Re: IBM VPN Bakeoff Issues

From: Daniel Harkins <dharkins@cisco.com>

Re: IBM VPN Bakeoff Issues

From: "Michael C. Richardson" <mcr@sandelman.ottawa.on.ca>

References:

Re: IBM VPN Bakeoff Issues

From: Daniel Harkins <dharkins@cisco.com>

Prev by Date: Re: IBM VPN Bakeoff Issues
Next by Date: Re: IBM VPN Bakeoff Issues
Prev by thread: Re: IBM VPN Bakeoff Issues
Next by thread: Re: IBM VPN Bakeoff Issues
Index(es):
- Main
- Thread