[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

comments on 2401bis-01 - Transport mode by SGs

To: kent@bbn.com, kseo@bbn.com, ipsec@lists.tislabs.com
Subject: comments on 2401bis-01 - Transport mode by SGs
From: Mark Duffy <mduffy@quarrytech.com>
Date: Tue, 02 Mar 2004 19:13:05 -0500
Sender: owner-ipsec@lists.tislabs.com

I just finished reading through draft-ietf-ipsec-rfc2401bis-01.txt and I 
found it much clearer than 2401.  A big thank you to the authors and other 
contributors!

I have a few questions on the content which I will spread over several 
messages.

Regarding use of transport mode by security gateways in sect. 4.1 it states:

    A transport mode SA is a security association typically employed
    between a pair of hosts to provide end-to-end security services. When
    link (vs. end-to-end) security is desired between two intermediate
    systems along a path, ...

It seems a bit of a misnomer to refer to this as "link security" since it 
may in fact span multiple links.  I propose referring to this instead as 
"intermediate system to intermediate system security."

                      ... transport mode MAY be used between security
    gateways or between a security gateway and a host.  In the latter
    case, transport mode may be used to support IP-in-IP [Per96] or GRE
    tunneling [FaLiHaMeTr00] over transport mode SAs.

Even in the former case (SG to SG) shouldn't the use of transport mode be 
limited to cases where some in-IP tunnelling mechanism is used?  But, it 
might not be IP-and-IP or GRE; it could be L2TP, MPLS-in-IP, etc.  So I 
suggest rewording this passage as follows:

    A transport mode SA is a security association typically employed
    between a pair of hosts to provide end-to-end security services. When
    security is desired between two intermediate systems along a path or
    between an intermediate and an end system, transport mode MAY be used
    between security gateways or between a security gateway and a host.
    In these cases transport mode may be used to secure any sort of
    in-IP tunneling. In these cases the security gateway(s) are in fact
    acting as end systems with respect to the in-IP tunnel packets to
    which transport mode IPsec is applied.


There are 2 additional mentions of "link security" later in the section 
that would also change:

Change
   "... security gateways MAY support a transport mode SA to provide link 
security for IP traffic"
to
   "... security gateways MAY support a transport mode SA to provide 
intermediate system to intermediate system security for tunneled IP traffic"

Change
   "If it supports transport mode, that should be used only when the 
security gateway is acting as a host, e.g., for network management, or to 
provide link security."
to
   "If it supports transport mode, that should be used only when the 
security gateway is acting as a host, e.g., for network management, or to 
provide intermediate system to intermediate system security for tunneled IP 
traffic."


--Mark

Follow-Ups:
- Re: comments on 2401bis-01 - Transport mode by SGs
  - From: Thor Lancelot Simon <tls@rek.tjls.com>
- Re: comments on 2401bis-01 - Transport mode by SGs
  - From: Stephen Kent <kent@bbn.com>

Prev by Date: Re: Ordered and unordered SPD in draft-ietf-ipsec-rfc2401bis-01
Next by Date: Re: Ordered and unordered SPD in draft-ietf-ipsec-rfc2401bis-01
Previous by thread: RE: Ordered and unordered SPD in draft-ietf-ipsec-rfc2401bis-01
Next by thread: Re: comments on 2401bis-01 - Transport mode by SGs
Index(es):
- Date
- Thread