[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: IPSec Complexity



> From: Stephen Kent [mailto:kent@bbn.com]
> Sent: 18 February 2000 17:29
> To: Chris Trobridge
> Cc: ipsec@lists.tislabs.com
> Subject: RE: IPSec Complexity
> 
> 
> Chris,
> 
> If you do IP in IP tunneling, and then  apply transport mode, you 
> will suffer the access control problems I described earlier, because 
> transport mode IPsec looks only at the outer IP header, not the inner 
> one.  Also, you will not be complaint with the IPsec Architecture as 
> defined in RFC 2401.
> 
> Steve

I agree - I think we need tunneling.

If you regard IP tunnelling as a separate 'module' then the datagrams are
being sent end to end and I think transport mode would then be compliant (ie
the datagrams are already tunneled before they reach IPSEC).  However, this
means that the whole tunneling process is outside of the control of IPSEC
and you can impose IPSEC policy on the traffic carried hence the access
control problem.

Chris