Re: RFC 2401 section 5.2.1

[Henry Spencer <henry@spsystems.net>]

On Wed, 22 Nov 2000 itojun@iijlab.net wrote:
> >Many of the death-to-AH enthusiasts also favoring killing transport mode
> >and doing everything with tunnel mode...
> 
> 	do we want to use tunnel mode on non-VPN ipsec exchanges?
> 	I don't think so.

Why not?  It can do everything transport mode does.  (In particular, it is
perfectly capable of working host-to-host.)

"Recommendation 1:  *Eliminate transport mode*.  ...we do not know why
IPsec has two modes...  The extra cost of a second mode (in terms of added
complexity and resulting loss of security) is huge..." -- Ferguson & Schneier

It would be sensible to retain both if transport mode was the fundamental
IPsec mode and tunnel mode was *just* IPIP tunneling over a transport-mode
connection.  But it's not.  (If it were, tunnel mode could be explained in
a single footnote in RFC 2401, rather than having implications everywhere.)

                                                          Henry Spencer
                                                       henry@spsystems.net

---

Follow-Ups:

• Re: RFC 2401 section 5.2.1
• From: itojun@iijlab.net
• Re: RFC 2401 section 5.2.1
• From: Joe Touch <touch@ISI.EDU>
• Re: RFC 2401 section 5.2.1
• From: Francis Dupont <Francis.Dupont@enst-bretagne.fr>

References:

• Re: RFC 2401 section 5.2.1
• From: itojun@iijlab.net

---

• Prev by Date: Re: RFC 2401 section 5.2.1
• Next by Date: Re: RFC 2401 section 5.2.1
• Prev by thread: Re: RFC 2401 section 5.2.1
• Next by thread: Re: RFC 2401 section 5.2.1
• Index(es):
  • Main
  • Thread