RE: IPSEC target and transport mode

To: "'Black_David@emc.com'" <Black_David@emc.com>, ips@ece.cmu.edu
Subject: RE: IPSEC target and transport mode
From: "Sperry, Todd" <Todd_Sperry@adaptec.com>
Date: Wed, 3 Apr 2002 13:49:49 -0800
Content-Type: text/plain;charset="iso-8859-1"
Sender: owner-ips@ece.cmu.edu


David,

>The sense of the room in Minneapolis (and it was a bit rough,
>with visible dissent) was to drop the requirement for IPsec
>transport mode. 

I agree with this statement - it was a bit rough.  It was not
rough, though, in Huntington Beach.  We had a (nearly) unanimous
vote (doesn't happen that often :-)  I know you've said you
"shoved that one on us", but I don't believe that's the case.  A
number of us in Huntington Beach believed we had the right 
solution - and the vote backed it up.

> Steve and I had lunch on Monday of IETF
> week, and his advice on this issue was to drop the transport requirement
> as a "MUST implement" for tunnel mode is sufficient for interoperability.

I'm aware that a number of issues have been solved "over lunch",
and sometimes this is the right thing to do.  However, I believe
there are a number of people on both sides of this issue.  

>I am certain that WG rough consensus cannot be
>obtained for requiring transport mode in all cases (i.e., without the
>"when RFC 2401 says it is" qualifier from Huntington Beach).

I still don't understand the rationale for overriding the language
in 2401, part 'a'.

	In summary,
           a) A host MUST support both transport and tunnel mode.
           b) A security gateway is required to support only tunnel
              mode.  If it supports transport mode, that should be used
              only when the security gateway is acting as a host, e.g.,
              for network management.

>If I were starting from a clean sheet of paper without regard to existing
>IPsec implementations/technology/etc., I would be inclined to do as Jason
>suggests.  However, we are not in that situation.
>The current situation is that there is significant interest in the WG in
>using existing IPsec systems/devices/etc. to address this area of
>functionality; 

There are plenty of people/companies building new devices, as well.  Some of
those, including my company, are interested in Transport mode support.
Your argument in the past has been "you can still do that - its a MAY".
I really can't agree with that when we're thinking about interop.  

The MUST/MUST language was fine.  2401 says its the right thing to do.
The requirement for IP storage is end-to-end.  

Todd.

Prev by Date: Re: FCEncap Last Call Comment 40
Next by Date: RE: IPSEC target and transport mode
Prev by thread: RE: IPSEC target and transport mode
Next by thread: RE: IPSEC target and transport mode
Index(es):
- Date
- Thread

Home

Last updated: Wed Apr 03 17:18:17 2002
9463 messages in chronological order