[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: RFC 2401 section 5.2.1

To: Henry Spencer <henry@spsystems.net>
Subject: Re: RFC 2401 section 5.2.1
From: Dan Harkins <dharkins@cips.nokia.com>
Date: Sun, 26 Nov 2000 17:52:34 -0800
cc: Francis Dupont <Francis.Dupont@enst-bretagne.fr>, ipsec@lists.tislabs.com, mobile-ip@standards.nortelnetworks.com
In-reply-to: Your message of "Fri, 24 Nov 2000 12:34:48 EST." <Pine.BSI.3.91.1001124123008.24306B-100000@spsystems.net>
Sender: owner-ipsec@lists.tislabs.com

On Fri, 24 Nov 2000 12:34:48 EST you wrote
> 
> We use tunnel mode for end-to-end security quite routinely.  In fact, it
> seems to us that tunnel mode actually gives slightly higher security,
> because it obscures whether the communication really *is* end-to-end or is
> being done on behalf of other hosts.

Obscured from whom? Don't transport mode and tunnel mode packets look
identical to a passive evesdropper since the Next Header field is encrypted? 
(Assuming you're not doing AH, or NULL ESP, which from your previous 
statements seems plausible).

  Dan.

Follow-Ups:

Re: RFC 2401 section 5.2.1

From: Bill Sommerfeld <sommerfeld@East.Sun.COM>

Re: RFC 2401 section 5.2.1

From: Henry Spencer <henry@spsystems.net>

References:

Re: RFC 2401 section 5.2.1

From: Henry Spencer <henry@spsystems.net>

Prev by Date: On transport-level policy enforcement (was Re: RFC 2401...)
Next by Date: Re: On transport-level policy enforcement (was Re: RFC 2401...)
Prev by thread: Re: RFC 2401 section 5.2.1
Next by thread: Re: RFC 2401 section 5.2.1
Index(es):
- Main
- Thread