SORT BY:

LIST ORDER
THREAD
AUTHOR
SUBJECT


SEARCH

IPS HOME


    [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

    Re: IPSEC target and transport mode



    Sorry if this goes out twice, I think my mailer ate it the first time.
    
    On Tue, 26 Mar 2002 Black_David@emc.com wrote:
    
    > While I believe the current situation does represent rough consensus
    > of the WG, there was a visible minority in the meeting who dissented
    > from this decision, and essentially no time to discuss it.  Hence,
    > this is an opportunity for those who would like to see the transport
    > mode requirement from Huntington Beach retained to explain why on the
    > list and see if they can convince the WG.  The only available options
    > are (1) to drop all requirements for transport mode (i.e., "MAY implement")
    > and (2) to retain the transport mode requirement in the form that it
    > was added in Huntington Beach (i.e., transport mode is required when
    > RFC 2401 says it is).  I am certain that WG rough consensus cannot be
    > obtained for requiring transport mode in all cases (i.e., without the
    > "when RFC 2401 says it is" qualifier from Huntington Beach).
    
    As I understand tunnel mode, you have an IPsec security gateway in the
    topology. Among other things, that means we won't readily have end-to-end
    security, since you have security from the gateway to the device, not
    necessarily the initiator to the device.
    
    How do you suggest we achieve end-to-end security without transport mode a
    MUST?
    
    Specifically the topology I have in mind is I make a dedicated IP SAN, and
    want ESP from the file servers to the storage boxes. They are all on the
    same (GigE) subnet. How do I get this level of security (end-to-end) with
    just tunnel mode?
    
    Puzzled,
    
    Bill
    
    
    


Home

Last updated: Wed Mar 27 13:18:17 2002
9344 messages in chronological order