Re: IPSEC target and transport mode

[Jason R Thorpe <thorpej@wasabisystems.com>]

First of all, I'm new to the list (my subscription request is pending
approval right now, so please CC me explicitly on any replies..)

Sigh, every time I see a discussion of this nature, it makes me wish that
IPsec Tunnel Mode didn't even exist...

 > ---------- Forwarded message ----------
 > Date: Tue, 26 Mar 2002 19:31:37 -0500
 > From: Black_David@emc.com
 > To: pierre_labat@hp.com, ips@ece.cmu.edu
 > Subject: IPSEC target and transport mode
 > 

 ...

 > The sense of the room in Minneapolis (and it was a bit rough,
 > with visible dissent) was to drop the requirement for IPsec
 > transport mode.  Tunnel mode would become "MUST implement",
 > transport mode would become "MAY implement", and this would
 > override the "host must support both tunnel mode and transport
 > mode" requirement of RFC 2401.  Any procedural questions or

I really don't like this idea.  While it is true that Tunnel Mode
does not require the use of a gateway, Transport Mode is actually
the more general mode.

It is possible to combine Transport Mode with any arbitrary something-in-IP
tunneling protocol (IP-IP, GRE, etc.).  In the case of Transport Mode +
IP-IP tunneling, you achieve something that is equivalent to Tunnel Mode,
thus satisfying those who need it (I suggest that everyone read
draft-touch-ipsec-vpn-03.txt).

Transport Mode is also less expensive from a processing point of view.
If you use Tunnel Mode with no gateway (i.e. inner-dest==outer-dest,
outer-source==inner-source), you still have to de-encap the packet and
re-process it, which is something you don't have to do in Transport Mode.

-- 
        -- Jason R. Thorpe <thorpej@wasabisystems.com>