[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Fwd: IPsec issue #50 -- tunnel vs transport mode at link layer

To: ipsec@lists.tislabs.com
Subject: Fwd: IPsec issue #50 -- tunnel vs transport mode at link layer
From: Karen Seo <kseo@bbn.com>
Date: Tue, 2 Sep 2003 18:43:57 -0400
Sender: owner-ipsec@lists.tislabs.com

>X-Sender: kseo@po2.bbn.com
>Date: Tue, 26 Aug 2003 14:39:00 -0400
>To: ipsec@lists.tislabs.com
>From: Karen Seo <kseo@bbn.com>
>Subject: IPsec issue #50 -- tunnel vs transport mode at link layer
>Cc: "Angelos D. Keromytis" <angelos@cs.columbia.edu>, kivinen@ssh.fi,
>    kseo@bbn.com
>X-Scanned-By: MIMEDefang 2.28 (www . roaringpenguin . com / mimedefang)
>Status:  
>
>Folks,
>
>Here's a description and proposed approach for:
>
>IPsec Issue #:	50
>
>Title:		Tunnel vs transport mode for link security
>
>Description:	At present, security gateways must use tunnel mode
>		between two security gateways (SGs) or between a security
>		gateway and a host.  This is because in a number of
>		circumstances, tunnel mode is necessary to enable one
>		to address an IP packet to a specific, intermediate
>		IPsec processing point along the path to the eventual
>		destination.  This can't be done if the header contains
>		only the final destination address. However, for
>		point-to-point security, the goal is typically
>		confidentiality and/or integrity and authenticity
>		between two systems (SGs) which are often
>		intermediate between the source and destination and
>		where the next protocol is not transport or IP, e.g.,
>		GRE.  In these situations, use of transport mode is
>		reasonable and in fact, that is what is already being
>		done.  Therefore, 2401bis should allow this usage.
>
>Proposed approach
>
>	1. The section describing transport and tunnel modes should
>	be amended to allow transport mode to be used by a security
>	gateway for "link" security.  There should also be a
>	warning about the reduction in access control functionality
>	in this situation.  Text along the lines of the following
>	should be added:
>
>	"In the case where link security is desired between
>	two intermediate systems (security gateways) along a path,
>	transport mode may be used instead of tunnel mode.  Note
>	that the access control functions that are an important part
>	of IPsec are significantly constrained in this context.
>	So this way of using transport mode should be evaluated carefully
>	before being employed."
>
>Thank you,
>Karen

Follow-Ups:
- Re: Fwd: IPsec issue #50 -- tunnel vs transport mode at link layer
  - From: Joe Touch <touch@ISI.EDU>

Prev by Date: Re: The remaining IKEv2 issues
Next by Date: Re: Possible missing messages
Prev by thread: Re: The remaining IKEv2 issues
Next by thread: Re: Fwd: IPsec issue #50 -- tunnel vs transport mode at link layer
Index(es):
- Date
- Thread