Re: revised IPsec processing model

[Mark Baugher <mbaugher@cisco.com>]

At 03:28 AM 7/18/2003 -0400, Stephen Kent wrote:
>At 13:57 +0900 7/18/03, itojun@iijlab.net wrote:
>>  >Here is the new, proposed processing model for IPsec.  Comments
>>>welcome, of course.
>>
>>         the text is a bit unclear whether it is talking about transport mode
>>         or tunnel mode.
>>
>>         "virtual interface" is for tunnel mode only, am i right?  if so,
>>         you can now remove tunnel mode from FFC2401 - there are bunch of
>>         tunnel specification available (like RFC2893, RFC1853, RFC2003)
>>         and tunnel mode will be replaced by "transport mode + tunnelling".
>>         i love to see the change.
>>
>>         if "virtual interface" is used also for transport mode, it will be
>>         incompatible with IPv6 linklocal address (by changing inbound 
>> interface
>>         for a packet, i.e.  m->m_pkthdr.rcvif in BSD, you change the scope
>>         zone).  therefore i object to apply "virtual interface" concept
>>         to transport mode.
>>
>>itojun
>
>There is no plan to remove tunnel mode from the spec. The plan was to 
>apply this model for both transport and tunnle modes.

As recommended by Ferguson and Schneier?

Mark


>Steve