Re: comments on 2401bis-01 - Transport mode by SGs

[Mark Duffy <mduffy@quarrytech.com>]

At 09:55 PM 3/2/2004 -0500, Thor Lancelot Simon wrote:
>On Tue, Mar 02, 2004 at 07:13:05PM -0500, Mark Duffy wrote:
> >
> >                      ... transport mode MAY be used between security
> >    gateways or between a security gateway and a host.  In the latter
> >    case, transport mode may be used to support IP-in-IP [Per96] or GRE
> >    tunneling [FaLiHaMeTr00] over transport mode SAs.
> >
> > Even in the former case (SG to SG) shouldn't the use of transport mode be
> > limited to cases where some in-IP tunnelling mechanism is used?  But, it
> > might not be IP-and-IP or GRE; it could be L2TP, MPLS-in-IP, etc.  So I
> > suggest rewording this passage as follows:
>
>Why forbid two security gateways from using transport mode to protect
>other SG-to-SG traffic?

By SG-to-SG traffic, do you mean packets whose source/dest addresses are 
the SGs?  I didn't mean to forbid any of that.  I think that WRT the 
non-tunneled traffic, the SG is acting as a host and the use of transport 
mode for this is described a few paragraphs further on in 2401bis.  Or, I 
can propose new text that explicitly includes that.

My points were that 1) SG-to-SG and SG-to-host should have the same rules 
applied to them, and 2) the type of in-IP tunneling doesn't matter and 
should not be limited to IP-in-IP and GRE.

As far as applying transport mode to transit packets (whose source/dest are 
not the SGs) 2401 proscribed that, I believe 2401bis-01 intends to 
proscribe it, and I had no intention of changing that.

--Mark