[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Fwd: IPsec issue #50 -- tunnel vs transport mode at link layer

To: ipsec@lists.tislabs.com
Subject: Re: Fwd: IPsec issue #50 -- tunnel vs transport mode at link layer
From: Joe Touch <touch@ISI.EDU>
Date: Tue, 23 Sep 2003 08:50:17 -0700
In-Reply-To: <p0600201bbb9616b23905@[128.89.89.75]>
Organization: USC/ISI
References: <p05200f13bb7acd9e16e6@[128.89.89.115]> <3F578519.7040006@isi.edu> <p05210618bb7d4e20b86c@[128.89.89.75]> <3F57A26E.90205@isi.edu> <p0521061abb7d543324d7@[128.89.89.75]> <3F57ACBC.7060407@isi.edu> <p0521061ebb7d5d684d5e@[128.89.89.75]> <3F6F4206.10302@isi.edu> <p0600201bbb9616b23905@[128.89.89.75]>
Sender: owner-ipsec@lists.tislabs.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.4) Gecko/20030624

Stephen Kent wrote:

>> ...
>>
>>>  I think that the model we should be using, which is less restrictive
>>>  than what 2401 says, is that a user of IPsec can perform tunneling
>>>  before invoking IPsec, if the application context warrants, and in that
>>>  case IPsec can be used in transport mode and will enforce access
>>>  controls based only on the external header. consistent with the
>>>  provision of link security.
>>
>> Transport mode checks the internal transport header. When a tunneled 
>> packet uses transport mode, the inner packet is an IP header, and 
>> should be checked as well.
> 
> For outbound traffic there is no difference between the header examined 
> by transport or tunnel mode in IPsec. But for inbound traffic, transport 
> and tunnel mode examine different headers. That is the essence of the 
> difference between the two modes. Please do not redefine what transport 
> mode does today to match what you want it to do in the future.

_Tunneling_ (encaps/decaps) is the "essence of the difference".

Which headers are checked, or whether such is part of IPsec or a 
separate firewall service, or whether such is applied consistently 
within IPsec, is certainly an artifact of what is done today.

Redefining what is done today is the "essence of the difference" that 
warrants revision of 2401.

Transport mode ignores all but two (coming to be three) specific 
Internet transport protocols. It will be incomplete until it handles the 
remainder.

Joe

Follow-Ups:
- Re: Fwd: IPsec issue #50 -- tunnel vs transport mode at link layer
  - From: Stephen Kent <kent@bbn.com>

References:
- Fwd: IPsec issue #50 -- tunnel vs transport mode at link layer
  - From: Karen Seo <kseo@bbn.com>
- Re: Fwd: IPsec issue #50 -- tunnel vs transport mode at link layer
  - From: Joe Touch <touch@ISI.EDU>
- Re: Fwd: IPsec issue #50 -- tunnel vs transport mode at link layer
  - From: Stephen Kent <kent@bbn.com>
- Re: Fwd: IPsec issue #50 -- tunnel vs transport mode at link layer
  - From: Joe Touch <touch@ISI.EDU>
- Re: Fwd: IPsec issue #50 -- tunnel vs transport mode at link layer
  - From: Stephen Kent <kent@bbn.com>
- Re: Fwd: IPsec issue #50 -- tunnel vs transport mode at link layer
  - From: Joe Touch <touch@ISI.EDU>
- Re: Fwd: IPsec issue #50 -- tunnel vs transport mode at link layer
  - From: Stephen Kent <kent@bbn.com>
- Re: Fwd: IPsec issue #50 -- tunnel vs transport mode at link layer
  - From: Joe Touch <touch@ISI.EDU>
- Re: Fwd: IPsec issue #50 -- tunnel vs transport mode at link layer
  - From: Stephen Kent <kent@bbn.com>

Prev by Date: Re: Fwd: IPsec issue #50 -- tunnel vs transport mode at link layer
Next by Date: Re: Fwd: IPsec issue #50 -- tunnel vs transport mode at link layer
Prev by thread: Re: Fwd: IPsec issue #50 -- tunnel vs transport mode at link layer
Next by thread: Re: Fwd: IPsec issue #50 -- tunnel vs transport mode at link layer
Index(es):
- Date
- Thread