|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: IPSEC target and transport modeFirst of all, I'm new to the list (my subscription request is pending approval right now, so please CC me explicitly on any replies..) Sigh, every time I see a discussion of this nature, it makes me wish that IPsec Tunnel Mode didn't even exist... > ---------- Forwarded message ---------- > Date: Tue, 26 Mar 2002 19:31:37 -0500 > From: Black_David@emc.com > To: pierre_labat@hp.com, ips@ece.cmu.edu > Subject: IPSEC target and transport mode > ... > The sense of the room in Minneapolis (and it was a bit rough, > with visible dissent) was to drop the requirement for IPsec > transport mode. Tunnel mode would become "MUST implement", > transport mode would become "MAY implement", and this would > override the "host must support both tunnel mode and transport > mode" requirement of RFC 2401. Any procedural questions or I really don't like this idea. While it is true that Tunnel Mode does not require the use of a gateway, Transport Mode is actually the more general mode. It is possible to combine Transport Mode with any arbitrary something-in-IP tunneling protocol (IP-IP, GRE, etc.). In the case of Transport Mode + IP-IP tunneling, you achieve something that is equivalent to Tunnel Mode, thus satisfying those who need it (I suggest that everyone read draft-touch-ipsec-vpn-03.txt). Transport Mode is also less expensive from a processing point of view. If you use Tunnel Mode with no gateway (i.e. inner-dest==outer-dest, outer-source==inner-source), you still have to de-encap the packet and re-process it, which is something you don't have to do in Transport Mode. -- -- Jason R. Thorpe <thorpej@wasabisystems.com>
Home Last updated: Wed Mar 27 18:18:18 2002 9355 messages in chronological order |