|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: IPSEC target and transport modeDavid, >The sense of the room in Minneapolis (and it was a bit rough, >with visible dissent) was to drop the requirement for IPsec >transport mode. I agree with this statement - it was a bit rough. It was not rough, though, in Huntington Beach. We had a (nearly) unanimous vote (doesn't happen that often :-) I know you've said you "shoved that one on us", but I don't believe that's the case. A number of us in Huntington Beach believed we had the right solution - and the vote backed it up. > Steve and I had lunch on Monday of IETF > week, and his advice on this issue was to drop the transport requirement > as a "MUST implement" for tunnel mode is sufficient for interoperability. I'm aware that a number of issues have been solved "over lunch", and sometimes this is the right thing to do. However, I believe there are a number of people on both sides of this issue. >I am certain that WG rough consensus cannot be >obtained for requiring transport mode in all cases (i.e., without the >"when RFC 2401 says it is" qualifier from Huntington Beach). I still don't understand the rationale for overriding the language in 2401, part 'a'. In summary, a) A host MUST support both transport and tunnel mode. b) A security gateway is required to support only tunnel mode. If it supports transport mode, that should be used only when the security gateway is acting as a host, e.g., for network management. >If I were starting from a clean sheet of paper without regard to existing >IPsec implementations/technology/etc., I would be inclined to do as Jason >suggests. However, we are not in that situation. >The current situation is that there is significant interest in the WG in >using existing IPsec systems/devices/etc. to address this area of >functionality; There are plenty of people/companies building new devices, as well. Some of those, including my company, are interested in Transport mode support. Your argument in the past has been "you can still do that - its a MAY". I really can't agree with that when we're thinking about interop. The MUST/MUST language was fine. 2401 says its the right thing to do. The requirement for IP storage is end-to-end. Todd.
Home Last updated: Wed Apr 03 17:18:17 2002 9463 messages in chronological order |