Specification of tunnel/transport attribute in IKEv2

["Andrew Krywaniuk" <andrew.krywaniuk@alcatel.com>]

I remember reading a posting on the list recently about the confusion
surrounding the specification of tunnel mode with SA bundles (i.e. if you
are doing ESP+AH, should you specify tunnel mode for one and transport for
the other or tunnel for both). At the bakeoffs, we decided that you should
put tunnel mode in both protocols. Also, we decided that the ordering of the
protocols in the proposal shouldn't matter, since the only ordering that
makes sense is [AH][ESP][IPCOMP].

I figured we should make sure that these ambiguities are cleared up in the
Son-of-IKE candidates. However, in perusing through the IKEv2 draft, I can
find no mention of tunnel mode or transport mode at all. Are the authors
assuming that one of the modes is going to be eliminated before we
standardize SOI, or is this just an oversight? Also, it might be nice to
mention that the ordering of the protocols within the proposal does not
affect the order in which they are applied to IPsec packets.

A final issue is where to specify the group number if (god forbid) you are
using PFS. I think we decided that it should be specified in both the ESP
and AH protocols and optionally in IPCOMP. I wish I could find the
antecedent message (I think it was by Joern), but nothing on this subject
has been posted in the last few days.

Andrew
-------------------------------------------
There are no rules, only regulations. Luckily,
history has shown that with time, hard work,
and lots of love, anyone can be a technocrat.