[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Fwd: IPsec issue #50 -- tunnel vs transport mode at link layer
>X-Sender: kseo@po2.bbn.com
>Date: Tue, 26 Aug 2003 14:39:00 -0400
>To: ipsec@lists.tislabs.com
>From: Karen Seo <kseo@bbn.com>
>Subject: IPsec issue #50 -- tunnel vs transport mode at link layer
>Cc: "Angelos D. Keromytis" <angelos@cs.columbia.edu>, kivinen@ssh.fi,
> kseo@bbn.com
>X-Scanned-By: MIMEDefang 2.28 (www . roaringpenguin . com / mimedefang)
>Status:
>
>Folks,
>
>Here's a description and proposed approach for:
>
>IPsec Issue #: 50
>
>Title: Tunnel vs transport mode for link security
>
>Description: At present, security gateways must use tunnel mode
> between two security gateways (SGs) or between a security
> gateway and a host. This is because in a number of
> circumstances, tunnel mode is necessary to enable one
> to address an IP packet to a specific, intermediate
> IPsec processing point along the path to the eventual
> destination. This can't be done if the header contains
> only the final destination address. However, for
> point-to-point security, the goal is typically
> confidentiality and/or integrity and authenticity
> between two systems (SGs) which are often
> intermediate between the source and destination and
> where the next protocol is not transport or IP, e.g.,
> GRE. In these situations, use of transport mode is
> reasonable and in fact, that is what is already being
> done. Therefore, 2401bis should allow this usage.
>
>Proposed approach
>
> 1. The section describing transport and tunnel modes should
> be amended to allow transport mode to be used by a security
> gateway for "link" security. There should also be a
> warning about the reduction in access control functionality
> in this situation. Text along the lines of the following
> should be added:
>
> "In the case where link security is desired between
> two intermediate systems (security gateways) along a path,
> transport mode may be used instead of tunnel mode. Note
> that the access control functions that are an important part
> of IPsec are significantly constrained in this context.
> So this way of using transport mode should be evaluated carefully
> before being employed."
>
>Thank you,
>Karen