[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: revised IPsec processing model

To: Mark Baugher <mbaugher@cisco.com>
Subject: Re: revised IPsec processing model
From: Stephen Kent <kent@bbn.com>
Date: Fri, 18 Jul 2003 18:01:34 -0400
Cc: ipsec@lists.tislabs.com
In-Reply-To: <5.1.1.5.2.20030718074219.079be5b0@mira-sjc5-6.cisco.com>
References: <20030718045758.B1A12A3@coconut.itojun.org><20030718045758.B1A12A3@coconut.itojun.org><5.1.1.5.2.20030718074219.079be5b0@mira-sjc5-6.cisco.com>
Sender: owner-ipsec@lists.tislabs.com

At 7:43 -0700 7/18/03, Mark Baugher wrote:
>At 03:28 AM 7/18/2003 -0400, Stephen Kent wrote:
>>At 13:57 +0900 7/18/03, itojun@iijlab.net wrote:
>>>  >Here is the new, proposed processing model for IPsec.  Comments
>>>>welcome, of course.
>>>
>>>         the text is a bit unclear whether it is talking about transport mode
>>>         or tunnel mode.
>>>
>>>         "virtual interface" is for tunnel mode only, am i right?  if so,
>>>         you can now remove tunnel mode from FFC2401 - there are bunch of
>>>         tunnel specification available (like RFC2893, RFC1853, RFC2003)
>>>         and tunnel mode will be replaced by "transport mode + tunnelling".
>>>         i love to see the change.
>>>
>>>         if "virtual interface" is used also for transport mode, it will be
>>>         incompatible with IPv6 linklocal address (by changing 
>>>inbound interface
>>>         for a packet, i.e.  m->m_pkthdr.rcvif in BSD, you change the scope
>>>         zone).  therefore i object to apply "virtual interface" concept
>>>         to transport mode.
>>>
>>>itojun
>>
>>There is no plan to remove tunnel mode from the spec. The plan was 
>>to apply this model for both transport and tunnle modes.
>
>As recommended by Ferguson and Schneier?
>
>Mark

If I understand your question, the answer is no. Long ago this WG 
decided that the paper you cite had several errors, probably a result 
of the authors not being protocol experts.  their critique of IKE v1 
was much more credible than the corresponding comments re ESP and AH. 
The list discussed the possibility of simplifying IPsec by dropping 
either tunnel or transport mode, and there was some support for that 
notion, but the support was divided between those who wanted to drop 
tunnel mode, and those who wanted to drop transport mode.  so, unless 
directed by the WG chairs, we plan to continue support for both modes.

However, consistent with the introduction of the forwarding function 
and virtual interfaces, and with the growing practice of using IPsec 
as a lower layer 3 security protocol (vs. upper layer 3, where IP 
lives), we do intened to relax the restriction on when to use 
transport mode, along with appropriate warnings.

Steve

References:
- Re: revised IPsec processing model
  - From: itojun@iijlab.net
- Re: revised IPsec processing model
  - From: Mark Baugher <mbaugher@cisco.com>

Prev by Date: Re: ipsec SAs
Next by Date: Re: revised IPsec processing model
Prev by thread: Re: revised IPsec processing model
Next by thread: Re: revised IPsec processing model: Q: VID and forwarding function
Index(es):
- Date
- Thread