[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: comments on 2401bis-01 - Transport mode by SGs

To: Mark Duffy <mduffy@quarrytech.com>
Subject: Re: comments on 2401bis-01 - Transport mode by SGs
From: Stephen Kent <kent@bbn.com>
Date: Wed, 3 Mar 2004 20:55:59 -0500
Cc: ipsec@lists.tislabs.com
In-reply-to: <5.2.0.9.0.20040302190635.020b4430@email>
References: <5.2.0.9.0.20040302190635.020b4430@email>
Sender: owner-ipsec@lists.tislabs.com

At 19:13 -0500 3/2/04, Mark Duffy wrote:
>I just finished reading through draft-ietf-ipsec-rfc2401bis-01.txt 
>and I found it much clearer than 2401.  A big thank you to the 
>authors and other contributors!
>
>I have a few questions on the content which I will spread over 
>several messages.
>
>Regarding use of transport mode by security gateways in sect. 4.1 it states:
>
>    A transport mode SA is a security association typically employed
>    between a pair of hosts to provide end-to-end security services. When
>    link (vs. end-to-end) security is desired between two intermediate
>    systems along a path, ...
>
>It seems a bit of a misnomer to refer to this as "link security" 
>since it may in fact span multiple links.  I propose referring to 
>this instead as "intermediate system to intermediate system 
>security."

yes, "link" is not a great term, and we can consider something more 
descriptive. but because the access controls are applied only to what 
will be the outer header, we need to reinforce the fact that using 
transport mode here is very different.

>                      ... transport mode MAY be used between security
>    gateways or between a security gateway and a host.  In the latter
>    case, transport mode may be used to support IP-in-IP [Per96] or GRE
>    tunneling [FaLiHaMeTr00] over transport mode SAs.
>
>Even in the former case (SG to SG) shouldn't the use of transport 
>mode be limited to cases where some in-IP tunnelling mechanism is 
>used?  But, it might not be IP-and-IP or GRE; it could be L2TP, 
>MPLS-in-IP, etc.  So I suggest rewording this passage as follows:
>
>    A transport mode SA is a security association typically employed
>    between a pair of hosts to provide end-to-end security services. When
>    security is desired between two intermediate systems along a path or
>    between an intermediate and an end system, transport mode MAY be used
>    between security gateways or between a security gateway and a host.
>    In these cases transport mode may be used to secure any sort of
>    in-IP tunneling. In these cases the security gateway(s) are in fact
>    acting as end systems with respect to the in-IP tunnel packets to
>    which transport mode IPsec is applied.

not sure I am complete happy with the wording, but I get your point. 
we just gave examples for the sorts of tunneling that might be used. 
it was not intended to be a proscriptive list.

>
>There are 2 additional mentions of "link security" later in the 
>section that would also change:
>
>Change
>   "... security gateways MAY support a transport mode SA to provide 
>link security for IP traffic"
>to
>   "... security gateways MAY support a transport mode SA to provide 
>intermediate system to intermediate system security for tunneled IP 
>traffic"
>
>Change
>   "If it supports transport mode, that should be used only when the 
>security gateway is acting as a host, e.g., for network management, 
>or to provide link security."
>to
>   "If it supports transport mode, that should be used only when the 
>security gateway is acting as a host, e.g., for network management, 
>or to provide intermediate system to intermediate system security 
>for tunneled IP traffic."

thanks.

Steve

References:
- comments on 2401bis-01 - Transport mode by SGs
  - From: Mark Duffy <mduffy@quarrytech.com>

Prev by Date: Re: Decorrelated SPD and IKEv2 traffic selectors
Next by Date: Re: IPSec on tunneling mechanisms
Previous by thread: Re: comments on 2401bis-01 - Transport mode by SGs
Next by thread: comments on 2401bis-01 - SPD, selectors
Index(es):
- Date
- Thread