[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IBM VPN Bakeoff Issues

To: "Scott G. Kelly" <skelly@redcreek.com>
Subject: Re: IBM VPN Bakeoff Issues
From: Daniel Harkins <dharkins@cisco.com>
Date: Fri, 06 Nov 1998 18:29:00 -0800
cc: Richard Draves <richdr@microsoft.com>, "'Stephen Waters'" <Stephen.Waters@digital.com>, "'IPsec'" <ipsec@tis.com>
In-reply-to: Your message of "Fri, 06 Nov 1998 17:18:49 PST." <36439FF9.AC2E9D60@redcreek.com>
Sender: owner-ipsec@ex.tis.com

  Scott,

  I guess it doesn't matter what we agree to because in 2 bakeoffs
hence somebody else raise this as an "issue" and we'll all climb back
into the rathole. 

  Yes, what we have today, what we agreed to the time before when this 
issue was raised, isn't Architecturally Pure (tm) but it works and there 
is running code, from different people, that does it this way. And it does 
make sense. 

  I swear, this WG flip flops so much we make Clinton look good. 

  Dan.

On Fri, 06 Nov 1998 17:18:49 PST you wrote
> Hi Dan,
> 
> Daniel Harkins wrote:
> > 
> >   This has been discussed before. There was a whole "ESP and AH used
> > in tunnel mode by a Security Gateway" thread back in July. In that
> > thread I noted that we were discussing something that was discussed
> > back in May when the issue was ESP and IPPCP.
> > 
> >   What was agreed to back then was that for a _security gateway_, any
> > transit traffic MUST be in tunnel mode so that in IP AH ESP IP <foo>
> > both AH and ESP would be in tunnel mode. Steve Kent noted that this
> > is not required by the Arch Doc (but I guess it's not forbidden
> > either). So if that's the way a security gateway negotiates it why
> > would we want to do something different for an end host? Aren't these
> > things complicated enough?
>  
> I *just* received this one, else I would have addressed it in my last
> post on this topic. I guess I understand your issue here: the
> architecture doc says that SGWs must use tunnel mode unless they are
> terminating the flow, and you don't think the SGW is doing that. I think
> it is. It's terminating the ESP tunnel, so it's okay to use transport
> mode AH on that flow. 
> 
> This cuts across the earlier thread here about whether ESP/AH are
> suitable protocols for the 'transport protocol' selector designation. I
> guess at this point I'd argue that ESP *is* a transport protocol, while
> AH might more likely be simply an IP extension header, like IP options.
> If we grant that ESP is a transport protocol, then it follows that the
> SGWs are terminating it, and that AH in transport mode is acceptable in
> this case.
> 
> I would argue that the adjacency of the AH/ESP headers precludes the
> possiblity that both are in tunnel mode, since by our own definitions,
> tunnel mode requires encapsulation of the original datagram, while
> tranport mode consists of header insertion between the original header
> and the data. 
> 
> I recognize that this is a bit of a twisted web here, but I think you're
> asking that we agree on a convention which is unnecessary. Waddayathink?
> 
> Scott

Follow-Ups:

IKE Quick Mode

From: "Jeff Carr" <jcarr@broadcom.com>

References:

Re: IBM VPN Bakeoff Issues

From: "Scott G. Kelly" <skelly@redcreek.com>

Prev by Date: Re: IBM VPN Bakeoff Issues
Next by Date: Re: minor inconsistency in arch doc (maybe)
Prev by thread: Re: IBM VPN Bakeoff Issues
Next by thread: IKE Quick Mode
Index(es):
- Main
- Thread