[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: RFC 2401 section 5.2.1

To: Francis Dupont <Francis.Dupont@enst-bretagne.fr>
Subject: Re: RFC 2401 section 5.2.1
From: Henry Spencer <henry@spsystems.net>
Date: Fri, 24 Nov 2000 12:34:48 -0500 (EST)
cc: ipsec@lists.tislabs.com, mobile-ip@standards.nortelnetworks.com
In-Reply-To: <200011241709.SAA30456@givry.rennes.enst-bretagne.fr>
Sender: owner-ipsec@lists.tislabs.com

On Fri, 24 Nov 2000, Francis Dupont wrote:
> => VPN is not the only usage of IPsec and transport mode is better for
> end-to-end security.

How is it "better"?  Aside from slightly reducing the byte count on the
wire, I mean?

We use tunnel mode for end-to-end security quite routinely.  In fact, it
seems to us that tunnel mode actually gives slightly higher security,
because it obscures whether the communication really *is* end-to-end or is
being done on behalf of other hosts.

> PS: there are many votes about AH in the past, AH is still alive...

So far, yes.

> ...and needed by many IPv6 protocols (cf Itojun's mail).

That is exactly the question:  *should* those protocols be relying on the 
quirks of AH?  It would be better if they could also work with ESP.

                                                          Henry Spencer
                                                       henry@spsystems.net

Follow-Ups:

Re: RFC 2401 section 5.2.1

From: Dan Harkins <dharkins@cips.nokia.com>

Re: RFC 2401 section 5.2.1

From: "Shoichi 'Ne' Sakane" <sakane@ydc.co.jp>

References:

Re: RFC 2401 section 5.2.1

From: Francis Dupont <Francis.Dupont@enst-bretagne.fr>

Prev by Date: Re: RFC 2401 section 5.2.1
Next by Date: Re: RFC 2401 section 5.2.1
Prev by thread: Re: RFC 2401 section 5.2.1
Next by thread: Re: RFC 2401 section 5.2.1
Index(es):
- Main
- Thread