[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Bruce Schneier on IPsec

To: sandy@storm.ca
Subject: Re: Bruce Schneier on IPsec
From: Markku Savela <msa@anise.tte.vtt.fi>
Date: Thu, 20 Jan 2000 15:59:17 +0200 (EET)
CC: ipsec@lists.tislabs.com
In-reply-to: <38870715.6A597851@storm.ca> (message from Sandy Harris on Thu, 20 Jan 2000 08:01:09 -0500)
Reply-to: msa@hemuli.tte.vtt.fi (Markku Savela)
Sender: owner-ipsec@lists.tislabs.com

> > On the other hand, the distinction between transport mode and tunnel mode is a
> > vital matter of network architecture, and I don't think that that was properly
> > understood by the authors.  (I sent a long note to them on this topic quite
> > some time ago.)  I'm quite convinced that we made the right choice there, and
> > see no reason to revisit it.
> 
> Could you post the note here, or is it perchance in the archives? The reason
> for having the two modes is far from obvious to me, and perhaps others.

I don't understand what the big fuss is about two modes. In my
implementation the core IPSEC code implements only TRANSPORT MODE! The
tunnel mode is achieved simply by slapping IP tunnel on a packet and
THEN applying the transport mode transformation. Seems to work fine
and is very simple.

I suppose the problems are on the IKE side then. I still want simpler
IKE, that only negotiates 1-directional SA when kernel asks it.

-- 
Markku Savela (msa@hemuli.tte.vtt.fi), Technical Research Centre of Finland
Multimedia Systems, P.O.Box 1203,FIN-02044 VTT,http://www.vtt.fi/tte/staff/msa/

References:

Re: Bruce Schneier on IPsec

From: Sandy Harris <sandy@storm.ca>

Prev by Date: Re: Bruce Schneier on IPsec
Next by Date: Re: Bruce Schneier on IPsec
Prev by thread: Re: Bruce Schneier on IPsec
Next by thread: Re: Bruce Schneier on IPsec
Index(es):
- Main
- Thread