[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: RFC 2401 section 5.2.1

To: awank@future.futsoft.com
Subject: Re: RFC 2401 section 5.2.1
From: Joe Touch <touch@ISI.EDU>
Date: Wed, 22 Nov 2000 20:31:32 -0800
CC: "'Markku Savela'" <Markku.Savela@research.nokia.com>, "IpsecMailingList (E-mail)" <ipsec@lists.tislabs.com>
References: <000701c05503$5a8c9780$6d0c000a@future.futsoft.com>
Sender: owner-ipsec@lists.tislabs.com



Awan Kumar Sharma wrote:
> 
> Hi,
> For the past few days, I have seen lots of discussion on the relevance of
> transport and tunnel modes. Although I am not working on these protocols for
> a very long time, but I see no reason for the relevance of transport mode
> over the tunnel mode. The reason being:
> 
> 1) Ref : RFC 2401, Section 4.1  Definition and scope.
>   It says
>          "In IPv4, a transport mode security protocol header
>          appears immediately after the IP header and any options, and before
>          any higher layer protocols (e.g., TCP or UDP)".
> 
>         i.e.  In transport mode, the packet will look like [IP][ESP][HLP].
> Here I have taken ESP as an example.
> Now we see that in this case, ESP will encrypt *only* [HLP] and thus IP is
> not protected i.e. encrypted. Even if we select authentication in ESP, the
> IP header is not protected.
> 
>   About Tunnel Mode, RFC 2401 says,
>         "The security protocol header appears after the outer IP header, and
>    before the inner IP header".
> 
>         i.e. In Tunnel Mode, the packet will look like [outer
> IP][ESP][InnerIP][HLP].
> Now we see that ESP can encrypt the inner IP packet thus maintaining its
> confidentiality. If authentication in ESP is used, the inner IP header is
> fully authenticated also. And I think a security protocol should work in
> this manner.
> 
> So, having this argument, I see no reason for Transport mode being more
> relevant than the Tunnel Mode.
> Any suggestion/correction in this regard is most welcome.

We've been considering the transport case where [HLP] ==
"[InnerIP][HLP]"
I.e., transport mode does not exclude the use of IP as its content data.

> 2) Now taking up the argument that transport mode with tunneling is same as
> Tunnel mode in IPSec.
>         The tunneled transport mode protected packet will look like :
>                         [OuterIP][InnerIP][ESP][HLP].

The idea is to tunnel THEN do transport encryption, resulting in:

			[OuterIP][ESP][InnerIP][HLP]

>         If my first point is correct, then we can see the extent of coverage in
> this case on the same lines as before and compare it with the Tunnel mode
> protected packet, which will look like,
>                         [OuterIP][ESP][InnerIP][HLP].

As you can see, they now match.

For more information, see draft-touch-ipsec-vpn-00.txt

Joe

References:

RE: RFC 2401 section 5.2.1

From: "Awan Kumar Sharma" <awank@future.futsoft.com>

Prev by Date: Re: RFC 2401 section 5.2.1
Next by Date: An IPR announcement by SSH Communications Security Corp
Prev by thread: RE: RFC 2401 section 5.2.1
Next by thread: Re: RFC 2401 section 5.2.1
Index(es):
- Main
- Thread