[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Fwd: IPsec issue #50 -- tunnel vs transport mode at link layer

To: Joe Touch <touch@ISI.EDU>
Subject: Re: Fwd: IPsec issue #50 -- tunnel vs transport mode at link layer
From: Stephen Kent <kent@bbn.com>
Date: Tue, 23 Sep 2003 12:05:55 -0400
Cc: ipsec@lists.tislabs.com
In-Reply-To: <3F706BB9.7070703@isi.edu>
References: <p05200f13bb7acd9e16e6@[128.89.89.115]><3F578519.7040006@isi.edu> <p05210618bb7d4e20b86c@[128.89.89.75]><3F57A26E.90205@isi.edu> <p0521061abb7d543324d7@[128.89.89.75]><3F57ACBC.7060407@isi.edu> <p0521061ebb7d5d684d5e@[128.89.89.75]><3F6F4206.10302@isi.edu> <p0600201bbb9616b23905@[128.89.89.75]><3F706BB9.7070703@isi.edu>
Sender: owner-ipsec@lists.tislabs.com

At 8:50 -0700 9/23/03, Joe Touch wrote:
>Stephen Kent wrote:
>
>>>...
>>>
>>>>  I think that the model we should be using, which is less restrictive
>>>>  than what 2401 says, is that a user of IPsec can perform tunneling
>>>>  before invoking IPsec, if the application context warrants, and in that
>>>>  case IPsec can be used in transport mode and will enforce access
>>>>  controls based only on the external header. consistent with the
>>>>  provision of link security.
>>>
>>>Transport mode checks the internal transport header. When a 
>>>tunneled packet uses transport mode, the inner packet is an IP 
>>>header, and should be checked as well.
>>
>>For outbound traffic there is no difference between the header 
>>examined by transport or tunnel mode in IPsec. But for inbound 
>>traffic, transport and tunnel mode examine different headers. That 
>>is the essence of the difference between the two modes. Please do 
>>not redefine what transport mode does today to match what you want 
>>it to do in the future.
>
>_Tunneling_ (encaps/decaps) is the "essence of the difference".
>
>Which headers are checked, or whether such is part of IPsec or a 
>separate firewall service, or whether such is applied consistently 
>within IPsec, is certainly an artifact of what is done today.
>
>Redefining what is done today is the "essence of the difference" 
>that warrants revision of 2401.
>
>Transport mode ignores all but two (coming to be three) specific 
>Internet transport protocols. It will be incomplete until it handles 
>the remainder.
>
>Joe

Joe,

I'm afraid you decided a while ago that tunnel mode does match your 
model of how IPsec should work. The vast majority of folks who have 
implemented IPsec, do not seem to share this view. I have stated how 
we're changing the spec so that you can perform IP-in-IP tunneling 
legitimately claim conformance. However, I am not comfortable 
changing the fundamental notion of tunnel and transport mode to 
accommodate your model, and thus break all the extant implementations 
that have complied with 2401.

Unless I am directed otherwise by the WG chairs, or the Security ADs, 
I will not continue this discussion.

Steve

References:
- Fwd: IPsec issue #50 -- tunnel vs transport mode at link layer
  - From: Karen Seo <kseo@bbn.com>
- Re: Fwd: IPsec issue #50 -- tunnel vs transport mode at link layer
  - From: Joe Touch <touch@ISI.EDU>
- Re: Fwd: IPsec issue #50 -- tunnel vs transport mode at link layer
  - From: Stephen Kent <kent@bbn.com>
- Re: Fwd: IPsec issue #50 -- tunnel vs transport mode at link layer
  - From: Joe Touch <touch@ISI.EDU>
- Re: Fwd: IPsec issue #50 -- tunnel vs transport mode at link layer
  - From: Stephen Kent <kent@bbn.com>
- Re: Fwd: IPsec issue #50 -- tunnel vs transport mode at link layer
  - From: Joe Touch <touch@ISI.EDU>
- Re: Fwd: IPsec issue #50 -- tunnel vs transport mode at link layer
  - From: Stephen Kent <kent@bbn.com>
- Re: Fwd: IPsec issue #50 -- tunnel vs transport mode at link layer
  - From: Joe Touch <touch@ISI.EDU>
- Re: Fwd: IPsec issue #50 -- tunnel vs transport mode at link layer
  - From: Stephen Kent <kent@bbn.com>
- Re: Fwd: IPsec issue #50 -- tunnel vs transport mode at link layer
  - From: Joe Touch <touch@ISI.EDU>

Prev by Date: Re: Fwd: IPsec issue #50 -- tunnel vs transport mode at link layer
Next by Date: Re: How to reduce number of IPSEC security policies that need to be configured?
Prev by thread: Re: Fwd: IPsec issue #50 -- tunnel vs transport mode at link layer
Next by thread: Ipsec and IPV6
Index(es):
- Date
- Thread