[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: 2401bis issues (possible) resolution





Angelos D. Keromytis wrote:

> In our weekly teleconference, we discussed the following items from the issues
> list:
> 
> 	40 Interface SPD selector vs. per-interface SPD
> 	50 Proposed change: tunnel vs. transport mode
> 	67 IPsec management traffic
> 	68 VPNs with overlapping IP address ranges
> 	69 Multiple protocols per SPD entry
> 
> We believe that these items are implementation-specific and/or not applicable
> to implementations in general (this applies in particular to 50 and partially
> to 68). We invite one last round of comments on these items --- if you feel
> strongly, yell!

Item 50:

The key issue we feel needs to be addressed is RFC2003 tunneled traffic, 
not traffic on a 'link' in general. Packets using 2003-style tunnels at 
a gateway originate and/or terminate at that gateway, and as such, are 
hosts for the purposes of IPsec conformance (for that tunnel). Thus 
RFC2401 already permits the use of transport mode on this traffic.

As noted before, this is discussed in detail in draft-touch-ipsec-vpn-06.txt

We feel that it would be useful for RFC2401bis to make this distinction 
clear, esp. since 2401 currently suggests that transport mode support is 
not required at gateways, i.e. in Sec 4.1:

>    Whenever either end of a security association is a security gateway,
>    the SA MUST be tunnel mode. 

It might be more specific to indicate that:

For traffic originating or terminating at a gateway, that gateway MUST 
support the functions of an IPsec host. In particular, traffic 
originating or terminating at that gateway that is tunneled over 
non-IPsec mechanisms (e.g, RFC2003) MAY use transport mode. A gateway 
that originates or terminates packets tunneled over non-IPsec 
mechanisms, for the purposes of that tunnel, MUST follow the IPsec host 
requirements rather than the IPsec gateway requirements.

Permitting the use of transport mode in this context goes specifically 
to the interaction between IPsec and RFC2003 tunnels, making it a 
protocol issue rather than merely an implementation issue.

Joe