Re: Bruce Schneier on IPsec

[Bill Sommerfeld <sommerfeld@orchard.arlington.ma.us>]

> I read the Counterpane paper, and I strongly agreed with almost
> everything they said. About the only exception was their proposal to
> do away with transport mode, which is exactly opposite of what should
> be done. As you say, tunnel mode should be eliminated in favor of
> standard tunneling techniques (IP in IP, GRE, etc) before the packet
> is handed to IPSec.

I agree and disagree here.

>From the protocol/over-the-wire standpoint, this is exactly right.

However, from the POV of packet filtering/policy checking, tunnel mode
and transport mode require very different sorts of policy checks on
the addresses in the outer and inner ip headers.

Now, if all of your interfaces (including your tunnels) are set up
with appropriate inbound filters, this isn't a big deal, but
traditionally, that sort of filtering is not part of an IP stack.
Always having the inner ip header (making the outer ip header
irrelevant) would allow the check to always be done as part of ipsec
rather than over in some other part of the system.

					- Bill

---

Follow-Ups:

• Re: Bruce Schneier on IPsec
• From: Robert Moskowitz <rgm-sec@htt-consult.com>
• Re: Bruce Schneier on IPsec
• From: Henry Spencer <henry@spsystems.net>
• Re: Bruce Schneier on IPsec
• From: Phil Karn <karn@ka9q.ampr.org>

---

• Prev by Date: Re: Future ISAKMP Denial of Service Vulnerablity Needs Addressing
• Next by Date: Re: Bruce Schneier on IPsec
• Prev by thread: Re: Bruce Schneier on IPsec
• Next by thread: Re: Bruce Schneier on IPsec
• Index(es):
  • Main
  • Thread