Re: Fwd: IPsec issue #50 -- tunnel vs transport mode at link layer

[Stephen Kent <kent@bbn.com>]

Joe,

>Providing an end-to-end (gateway to gateway) service for securing 
>traffic between two enterprises would be a feature of an application 
>that might use IPsec, as well as other services (e.g., firewalls, 
>tunnels) and protocols (IKE, a tunnel configuration protocol, a 
>firewall configuration protocol), to provide a consistent and 
>coherent capability.
>
>I do not agree that this necessitates direct support for an 
>integrated solution inside IPsec, any more than supporting VNs 
>inside IPsec does.

We're not converging on this disagreement.  I'll not pursue it anymore.

>...
>>  I think that the model we should be using, which is less restrictive
>>  than what 2401 says, is that a user of IPsec can perform tunneling
>>  before invoking IPsec, if the application context warrants, and in that
>>  case IPsec can be used in transport mode and will enforce access
>>  controls based only on the external header. consistent with the
>>  provision of link security.
>
>Transport mode checks the internal transport header. When a tunneled 
>packet uses transport mode, the inner packet is an IP header, and 
>should be checked as well.

For outbound traffic there is no difference between the header 
examined by transport or tunnel mode in IPsec. But for inbound 
traffic, transport and tunnel mode examine different headers. That is 
the essence of the difference between the two modes. Please do not 
redefine what transport mode does today to match what you want it to 
do in the future.


Steve