[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: 2401bis issues (possible) resolution
Joe,
You are right that 2401 makes a clear distinction between SG and host
implementations in terms of required mode to be supported. However
it is not appropriate to require that an SG must also act like an
IPsec host.
We distinguish 4 types of IPsec implementation contexts: SG, BITW,
BITS, and native host. the latter is special for several reasons,
e.g., in that context it is reasonable to have access to the name of
the target for an IPsec SA, as expressed by a user, whereas all other
implementations can expect to have access only to addresses. As a
result, the form of SPD entries that a host must support is broader
than the form that an SG (or BITS/BITW) must support. So, if only for
that reason, it would not be appropriate to make a broad assertion
that SGs must also support the functions of an IPsec host.
What we proposed to say is something like SGs MAY support transport
mode, and MUST support tunnel mode, which would support the IP-in-IP
or GRE tunneling over transport mode SAs, as well as 2401's mandated
tunnel mode use.
Steve