Re: Death to AH (was Re: SA identification)

[Francis Dupont <Francis.Dupont@enst-bretagne.fr>]

 In your previous mail you wrote:

    > > I'd say several of their recommendations were absolute no-brainers:
    > > 
    > > 1) eliminate transport mode

=> my intention was not to reopen the AH war, not the transport/tunnel war,
but if AH and transport mode are eliminated then my "VPNs only" question
will become topical (:-).

    > I *strongly* disagree, unless you meant "eliminate the
    > transport/tunnel distinction".
   
   Indeed.  My personal inclination would be to nuke the idea of "tunnel"
   mode -- if you want tunnels, build them using proto 4 or proto 41, and
   secure that trafic with transport mode ESP.
   
=> the source address check should be revisited too:
 - this is a major difference between tunnel mode and transport mode
   over tunnels
 - many current implementations are compliant but not interoperable
   because of this particular point.

Regards

Francis.Dupont@enst-bretagne.fr

PS: BTW I share Jason's opinion: tunnel mode is a real mess because
it doesn't give a real status to IPsec tunnels (for instance in IPv6
we don't know if they are interfaces or not - please look at IPv6
specs if you don't understand this question).

---

Follow-Ups:

• Re: Death to AH (was Re: SA identification)
• From: Henry Spencer <henry@spsystems.net>

References:

• Re: Death to AH (was Re: SA identification)
• From: Jason R Thorpe <thorpej@zembu.com>

---

• Prev by Date: certificate request
• Next by Date: Re: Death to AH (was Re: SA identification)
• Prev by thread: Re: Death to AH (was Re: SA identification)
• Next by thread: Re: Death to AH (was Re: SA identification)
• Index(es):
  • Main
  • Thread