SORT BY:

LIST ORDER
THREAD
AUTHOR
SUBJECT


SEARCH

IPS HOME


    [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

    RE: IPSEC target and transport mode



    
    David,
    
    >The sense of the room in Minneapolis (and it was a bit rough,
    >with visible dissent) was to drop the requirement for IPsec
    >transport mode. 
    
    I agree with this statement - it was a bit rough.  It was not
    rough, though, in Huntington Beach.  We had a (nearly) unanimous
    vote (doesn't happen that often :-)  I know you've said you
    "shoved that one on us", but I don't believe that's the case.  A
    number of us in Huntington Beach believed we had the right 
    solution - and the vote backed it up.
    
    > Steve and I had lunch on Monday of IETF
    > week, and his advice on this issue was to drop the transport requirement
    > as a "MUST implement" for tunnel mode is sufficient for interoperability.
    
    I'm aware that a number of issues have been solved "over lunch",
    and sometimes this is the right thing to do.  However, I believe
    there are a number of people on both sides of this issue.  
    
    >I am certain that WG rough consensus cannot be
    >obtained for requiring transport mode in all cases (i.e., without the
    >"when RFC 2401 says it is" qualifier from Huntington Beach).
    
    I still don't understand the rationale for overriding the language
    in 2401, part 'a'.
    
    	In summary,
               a) A host MUST support both transport and tunnel mode.
               b) A security gateway is required to support only tunnel
                  mode.  If it supports transport mode, that should be used
                  only when the security gateway is acting as a host, e.g.,
                  for network management.
    
    >If I were starting from a clean sheet of paper without regard to existing
    >IPsec implementations/technology/etc., I would be inclined to do as Jason
    >suggests.  However, we are not in that situation.
    >The current situation is that there is significant interest in the WG in
    >using existing IPsec systems/devices/etc. to address this area of
    >functionality; 
    
    There are plenty of people/companies building new devices, as well.  Some of
    those, including my company, are interested in Transport mode support.
    Your argument in the past has been "you can still do that - its a MAY".
    I really can't agree with that when we're thinking about interop.  
    
    The MUST/MUST language was fine.  2401 says its the right thing to do.
    The requirement for IP storage is end-to-end.  
    
    Todd.
    


Home

Last updated: Wed Apr 03 17:18:17 2002
9463 messages in chronological order