[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: RFC 2401 section 5.2.1
On Wed, 22 Nov 2000 itojun@iijlab.net wrote:
> >Many of the death-to-AH enthusiasts also favoring killing transport mode
> >and doing everything with tunnel mode...
>
> do we want to use tunnel mode on non-VPN ipsec exchanges?
> I don't think so.
Why not? It can do everything transport mode does. (In particular, it is
perfectly capable of working host-to-host.)
"Recommendation 1: *Eliminate transport mode*. ...we do not know why
IPsec has two modes... The extra cost of a second mode (in terms of added
complexity and resulting loss of security) is huge..." -- Ferguson & Schneier
It would be sensible to retain both if transport mode was the fundamental
IPsec mode and tunnel mode was *just* IPIP tunneling over a transport-mode
connection. But it's not. (If it were, tunnel mode could be explained in
a single footnote in RFC 2401, rather than having implications everywhere.)
Henry Spencer
henry@spsystems.net
Follow-Ups:
References: