[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Simplifying IKE
On Wed, 8 Aug 2001, Francis Dupont wrote:
> > PS: I am not in favor to reduce IPsec to VPNs, the thing which will happen
> > if we remove AH then transport mode...
>
> Can you explain that statement?
>
> => read my answer to Michael Thomas for my arguments/fears.
I read your answer, and I fear I am no wiser. You still haven't explained
why dumping AH and transport mode would "reduce IPsec to VPNs", perhaps
because it is not clear what you mean by "VPNs" or what your envisioned
non-"VPN" applications for IPsec are (and why they can't be done with ESP
tunnels).
> ESP tunnels can do everything AH or transport mode can do,
> although sometimes at very slightly greater cost.
>
> => yes but as you have written there is a cost.
Quite so, however my claim is that it is very seldom a significant cost.
We commonly accept general-purpose mechanisms whose costs are slightly
higher than necessary for any particular application, for the sake of
generality and simplicity. Numbers matter; a claim that the costs of
simplification are unacceptable needs to be justified numerically.
> And from the routing
> point of view to replace tunnel mode by transport mode with IP-in-IP
> (yes, I know they are not the same thing) has many advantages.
My feeling is that many of the purported advantages are actually accidents
of particular implementations, not fundamental to the protocols.
> PS: as a champion of the tunnel mode, can you help me in order to
> have RFC 2401 5.1.2.1 footnote 3 (including its note) correctly
> implemented.
I'm certainly interested in helping: I don't immediately see what help
you are asking for...
Henry Spencer
henry@spsystems.net
Follow-Ups:
References: