[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: revised IPsec processing model
At 7:43 -0700 7/18/03, Mark Baugher wrote:
>At 03:28 AM 7/18/2003 -0400, Stephen Kent wrote:
>>At 13:57 +0900 7/18/03, itojun@iijlab.net wrote:
>>> >Here is the new, proposed processing model for IPsec. Comments
>>>>welcome, of course.
>>>
>>> the text is a bit unclear whether it is talking about transport mode
>>> or tunnel mode.
>>>
>>> "virtual interface" is for tunnel mode only, am i right? if so,
>>> you can now remove tunnel mode from FFC2401 - there are bunch of
>>> tunnel specification available (like RFC2893, RFC1853, RFC2003)
>>> and tunnel mode will be replaced by "transport mode + tunnelling".
>>> i love to see the change.
>>>
>>> if "virtual interface" is used also for transport mode, it will be
>>> incompatible with IPv6 linklocal address (by changing
>>>inbound interface
>>> for a packet, i.e. m->m_pkthdr.rcvif in BSD, you change the scope
>>> zone). therefore i object to apply "virtual interface" concept
>>> to transport mode.
>>>
>>>itojun
>>
>>There is no plan to remove tunnel mode from the spec. The plan was
>>to apply this model for both transport and tunnle modes.
>
>As recommended by Ferguson and Schneier?
>
>Mark
If I understand your question, the answer is no. Long ago this WG
decided that the paper you cite had several errors, probably a result
of the authors not being protocol experts. their critique of IKE v1
was much more credible than the corresponding comments re ESP and AH.
The list discussed the possibility of simplifying IPsec by dropping
either tunnel or transport mode, and there was some support for that
notion, but the support was divided between those who wanted to drop
tunnel mode, and those who wanted to drop transport mode. so, unless
directed by the WG chairs, we plan to continue support for both modes.
However, consistent with the introduction of the forwarding function
and virtual interfaces, and with the growing practice of using IPsec
as a lower layer 3 security protocol (vs. upper layer 3, where IP
lives), we do intened to relax the restriction on when to use
transport mode, along with appropriate warnings.
Steve