[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: 2401bis issues (possible) resolution



Joe,

You are right that 2401 makes a clear distinction between SG and host 
implementations in terms of required mode to be supported.  However 
it is not appropriate to require that an SG must also act like an 
IPsec host.

We distinguish 4 types of IPsec implementation contexts: SG, BITW, 
BITS, and native host.  the latter is special for several reasons, 
e.g.,  in that context it is reasonable to have access to the name of 
the target for an IPsec SA, as expressed by a user, whereas all other 
implementations can expect to have access only to addresses.  As a 
result, the form of SPD entries that a host must support is broader 
than the form that an SG (or BITS/BITW) must support. So, if only for 
that reason, it would not be appropriate to make a broad assertion 
that SGs must also support the functions of an IPsec host.

What we proposed to say is something like SGs MAY support transport 
mode, and MUST support tunnel mode, which would support the IP-in-IP 
or GRE tunneling over transport mode SAs, as well as 2401's mandated 
tunnel mode use.

Steve