[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
comments on 2401bis-01 - Transport mode by SGs
I just finished reading through draft-ietf-ipsec-rfc2401bis-01.txt and I
found it much clearer than 2401. A big thank you to the authors and other
contributors!
I have a few questions on the content which I will spread over several
messages.
Regarding use of transport mode by security gateways in sect. 4.1 it states:
A transport mode SA is a security association typically employed
between a pair of hosts to provide end-to-end security services. When
link (vs. end-to-end) security is desired between two intermediate
systems along a path, ...
It seems a bit of a misnomer to refer to this as "link security" since it
may in fact span multiple links. I propose referring to this instead as
"intermediate system to intermediate system security."
... transport mode MAY be used between security
gateways or between a security gateway and a host. In the latter
case, transport mode may be used to support IP-in-IP [Per96] or GRE
tunneling [FaLiHaMeTr00] over transport mode SAs.
Even in the former case (SG to SG) shouldn't the use of transport mode be
limited to cases where some in-IP tunnelling mechanism is used? But, it
might not be IP-and-IP or GRE; it could be L2TP, MPLS-in-IP, etc. So I
suggest rewording this passage as follows:
A transport mode SA is a security association typically employed
between a pair of hosts to provide end-to-end security services. When
security is desired between two intermediate systems along a path or
between an intermediate and an end system, transport mode MAY be used
between security gateways or between a security gateway and a host.
In these cases transport mode may be used to secure any sort of
in-IP tunneling. In these cases the security gateway(s) are in fact
acting as end systems with respect to the in-IP tunnel packets to
which transport mode IPsec is applied.
There are 2 additional mentions of "link security" later in the section
that would also change:
Change
"... security gateways MAY support a transport mode SA to provide link
security for IP traffic"
to
"... security gateways MAY support a transport mode SA to provide
intermediate system to intermediate system security for tunneled IP traffic"
Change
"If it supports transport mode, that should be used only when the
security gateway is acting as a host, e.g., for network management, or to
provide link security."
to
"If it supports transport mode, that should be used only when the
security gateway is acting as a host, e.g., for network management, or to
provide intermediate system to intermediate system security for tunneled IP
traffic."
--Mark