[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: IBM VPN Bakeoff Issues
Scott,
>> > 2) The encapsulation mode of all services offered MUST match that
>> >encapsulation mode of the bundle as a whole.
>>
>> Well, remember that a bundle can apply to traffic terminating at two
>> different endpoints, specifically the required combination of a tunnel SA
>> to an SG with a transport SA to a host behind the SG.
>
>Precisely. And what about ESP in tunnel mode, wrapped with AH in
>transport mode between 2 SGs?
Transport mode is used between two IP processing endpoints, mot
intetrmediate processing points, so one would not use AH in transport mode
between two SGs, and thus the combination you descibe is not valid, under
the current architecture. Remember, the differences between tunnel and
transport mode affect the checking performed on IP headers, not just the
question of what is the next protocol field. When AH is used in transport
mode, the IP header it encapsulates is the one checked against the SPD. Is
that really what you want here?
>I recognize all too well how these restrictions would simplify
>processing, but don't think that makes for a good reason to modify the
>spec.
I'm not talking about modifying the spec. I'm reminding people of why we
restricted the number of MUST support cases, and observing that when one
ventures outside of this realm, interoperability is likely to suffer
greatly. In an effort to get these documents out the door, we were
implored by a set of implementaors to simplify previous versions of the
architecture document which had called for supporting iterated nesting of
SAs.
steve
Follow-Ups:
References: