Re: IPSEC target and transport mode

["Bernard Aboba" <bernard_aboba@hotmail.com>]

>I really don't like this idea.
>
>While it is true that Tunnel Mode
>does not require the use of a gateway, Transport Mode is actually
>the more general mode.
>
>It is possible to combine Transport Mode with any arbitrary something-in-IP 
>tunneling protocol (IP-IP, GRE, etc.).  In the case of >Transport Mode + 
>IP-IP tunneling, you achieve something that is equivalent to Tunnel Mode, 
>thus satisfying those who need it (I >suggest that everyone read 
>draft-touch-ipsec-vpn-03.txt).

Having worked with transport mode tunnels for a few years now (L2TP), we 
have come to the same conclusion. By linking SA selection to next hop 
forwarding, tunnel mode complicates routing considerably. Transport mode 
tunnels are more compatible with dynamic routing protocols. Today most 
tunnel mode vendors only support either static routing or BGP run down the 
tunnel, and that makes it very difficult for enterprise customers to manage 
and deploy large numbers of tunnels.

Although it can be done, Tunnel mode is also more difficult to implement as 
an interface than Transport mode IP-IP. There already is pushback on iSCSI 
HBAs that cannot act as a full fledged interface; this will ensure that this 
continues to be a problem many years into the future.

>Transport Mode is also less expensive from a processing point of view.
>If you use Tunnel Mode with no gateway (i.e. inner-dest==outer-dest,
>outer-source==inner-source), you still have to de-encap the packet and
>re-process it, which is something you don't have to do in Transport >Mode.

It would seem to me that this additional cost might be a concern in the 10 
Gbps case in particular.


_________________________________________________________________
Chat with friends online, try MSN Messenger: http://messenger.msn.com