Re: Contradictory language in the 2401bis draft section 4.1?

[Joe Touch <touch@ISI.EDU>]

Ken Ballou wrote:

> Am I misreading the text?  I believe there is contradictory text in
> section 4.1 (draft-ietf-ipsec-rfc2401bis-02.txt).
> 
> On one hand, in the third full paragraph on page 10, I read:
> 
> "... transport mode MAY be used between security gateways or between a
> security gateway and a host."
> 
> On the other hand, in the paragraph that spans pages 11 and 12, I read:
> 
> "In general, whenever either end of a security association is a security
> gateway, the SA MUST be tunnel mode."
> 
> I suspect the text following this sentence (citing an example of SNMP
> commands destined to the security gateway system) clarifies this.  Still,
> I wonder whether I am entirely alone in finding the text somewhat confusing.
> 
>                     - Ken

It seems like pg 11-12 should be updated. There are some other areas, 
notably Appendix B, in section B.3.1, there's a note:

 >    Looking at the diagram below of a security gateway tunnel (as
 >    mentioned elsewhere, security gateways do not use transport
 >    mode)...

FWIW, it might be useful if the first section (4) refs our ID 
(draft-touch-ipsec-vpn-*) on this issue, perhaps as informational 
(though soon we should have an RFC number, hopefully).

Joe