[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Simplifying IKE
In your previous mail you wrote:
On Wed, 8 Aug 2001, Francis Dupont wrote:
> ...I believe the source route header is primarily used to see
> what paths are broken in a network - using the process of elimination.
=> you haven't quoted me but the message I answered to...
Actually, the source route header is increasingly frequently ignored (or
considered grounds for dropping the packet) by implementations, because of
its utility for various forms of attack.
=> I agree but the reason seems to be more the lack of 3 addresses
filtering in common routers used as (very) poor man firewalls +
FUD about source routing. I believe we can consider source routing
as not available on the IPv4 Internet (IPv6 tries to fix that so
the game is still played for it).
> PS: I am not in favor to reduce IPsec to VPNs, the thing which will happen
> if we remove AH then transport mode...
Can you explain that statement?
=> read my answer to Michael Thomas for my arguments/fears.
ESP tunnels can do everything AH or transport mode can do,
although sometimes at very slightly greater cost.
=> yes but as you have written there is a cost. And from the routing
point of view to replace tunnel mode by transport mode with IP-in-IP
(yes, I know they are not the same thing) has many advantages.
Regards
Francis.Dupont@enst-bretagne.fr
PS: as a champion of the tunnel mode, can you help me in order to
have RFC 2401 5.1.2.1 footnote 3 (including its note) correctly
implemented. Of course for dual stack implementations it should
be nice to get (as specified by RFC 2401 too) mixed IP version tunnels.
(this seems more useful than to reopen the AH hater thread again)
Follow-Ups:
References: