[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: I-D ACTION:draft-ietf-ipsec-udp-encaps-05.txt

To: Steve Dispensa <dispensa@positivenetworks.net>
Subject: Re: I-D ACTION:draft-ietf-ipsec-udp-encaps-05.txt
From: Ari Huttunen <Ari.Huttunen@f-secure.com>
Date: Thu, 26 Dec 2002 17:48:23 +0200
CC: ipsec@lists.tislabs.com
Organization: F-Secure Corporation
References: <200212231255.HAA27622@ietf.org> <1040763337.6761.26.camel@stratocaster.positivenetworks.net>
Sender: owner-ipsec@lists.tislabs.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.0.1) Gecko/20020823 Netscape/7.0

Steve Dispensa wrote:
> On Mon, 2002-12-23 at 06:55, Internet-Drafts@ietf.org wrote:
> 
>>A New Internet-Draft is available from the on-line Internet-Drafts directories.
>>This draft is a work item of the IP Security Protocol Working Group of the IETF.
>>
>>	Title		: UDP Encapsulation of IPsec Packets
>>	Author(s)	: A. Huttunen et al.
>>	Filename	: draft-ietf-ipsec-udp-encaps-05.txt
>>	Pages		: 0
>>	Date		: 2002-12-20
> 
> 
> This may be a typo, but the second paragraph of the introduction
> states:  "It is up to the need of the clients whether transport mode or
> tunnel mode is to be supported. L2TP/IPsec clients MUST support
> transport mode since [RFC 3193] defines that L2TP/IPsec MUST use
> transport mode], and IPsec tunnel mode clients MUST support tunnel
> mode."  Note that RFC 3193 does not, in fact, require the use of
> transport mode with L2TP, just that implementations support transport
> mode.  (RFC 3193 section 2.1)  This is sort of cleared up in the next
> sentence, but the wording should probably be fixed.

RFC 3193 seems to say "Transport mode MUST be supported; tunnel
mode MAY be supported."

We could rephrase the introduction to be something like this, because
otherwise we'd no longer even optionally support this tunnel mode
L2TP/IPsec. Or so it could be seen. At least that's what I see
was intended originally. (Note that I've not read RFC 3193 in full and
hopefully never will.)

     It is up to the need of the clients whether transport mode
     or tunnel mode is to be supported. L2TP/IPsec clients MUST support
     transport mode and MAY support tunnel mode, as defined in [RFC 3193].
     IPsec tunnel mode clients MUST support tunnel mode.

> FWIW, this is a bit of a sore spot with me.  We regularly use L2TP over
> tunnel mode due to separation of the l2tp server from the IPSEC
> concentrator.  This creates problems on the client side (Windows users
> in particular) due to dumb client implementations.  

Well, looks to me like those Windows clients are behaving
according to RFC 3193, by not implementing tunnel mode. Tough luck.

Ari

> 
>  -sd
> 
> 


-- 
I play it cool and dig all jive,
  that's the reason I stay alive.
   My motto as I live and learn,
    is dig and be dug in return. <Langston Hughes>

Ari Huttunen                   phone: +358 9 2520 0700
Software Architect             fax  : +358 9 2520 5001

F-Secure Corporation       http://www.F-Secure.com

F(ully)-Secure products: Securing the Mobile Enterprise

References:
- I-D ACTION:draft-ietf-ipsec-udp-encaps-05.txt
  - From: Internet-Drafts@ietf.org
- Re: I-D ACTION:draft-ietf-ipsec-udp-encaps-05.txt
  - From: Steve Dispensa <dispensa@positivenetworks.net>

Prev by Date: Re: Proposed text changes to ESPbis and AHbis for multicast support
Next by Date: Re: Proposed text changes to ESPbis and AHbis for multicast support
Prev by thread: Re: I-D ACTION:draft-ietf-ipsec-udp-encaps-05.txt
Next by thread: Proposed text changes to ESPbis and AHbis for multicast support
Index(es):
- Date
- Thread