[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Fwd: IPsec issue #50 -- tunnel vs transport mode at link layer
At 8:50 -0700 9/23/03, Joe Touch wrote:
>Stephen Kent wrote:
>
>>>...
>>>
>>>> I think that the model we should be using, which is less restrictive
>>>> than what 2401 says, is that a user of IPsec can perform tunneling
>>>> before invoking IPsec, if the application context warrants, and in that
>>>> case IPsec can be used in transport mode and will enforce access
>>>> controls based only on the external header. consistent with the
>>>> provision of link security.
>>>
>>>Transport mode checks the internal transport header. When a
>>>tunneled packet uses transport mode, the inner packet is an IP
>>>header, and should be checked as well.
>>
>>For outbound traffic there is no difference between the header
>>examined by transport or tunnel mode in IPsec. But for inbound
>>traffic, transport and tunnel mode examine different headers. That
>>is the essence of the difference between the two modes. Please do
>>not redefine what transport mode does today to match what you want
>>it to do in the future.
>
>_Tunneling_ (encaps/decaps) is the "essence of the difference".
>
>Which headers are checked, or whether such is part of IPsec or a
>separate firewall service, or whether such is applied consistently
>within IPsec, is certainly an artifact of what is done today.
>
>Redefining what is done today is the "essence of the difference"
>that warrants revision of 2401.
>
>Transport mode ignores all but two (coming to be three) specific
>Internet transport protocols. It will be incomplete until it handles
>the remainder.
>
>Joe
Joe,
I'm afraid you decided a while ago that tunnel mode does match your
model of how IPsec should work. The vast majority of folks who have
implemented IPsec, do not seem to share this view. I have stated how
we're changing the spec so that you can perform IP-in-IP tunneling
legitimately claim conformance. However, I am not comfortable
changing the fundamental notion of tunnel and transport mode to
accommodate your model, and thus break all the extant implementations
that have complied with 2401.
Unless I am directed otherwise by the WG chairs, or the Security ADs,
I will not continue this discussion.
Steve