RE: IPSEC target and transport mode

To: Todd_Sperry@adaptec.com, ips@ece.cmu.edu
Subject: RE: IPSEC target and transport mode
From: Black_David@emc.com
Date: Wed, 3 Apr 2002 17:12:53 -0500
Content-Type: text/plain;charset="iso-8859-1"
Sender: owner-ips@ece.cmu.edu

Todd,

> I still don't understand the rationale for overriding the language
> in 2401, part 'a'.
> 
> 	In summary,
>            a) A host MUST support both transport and tunnel mode.

What I've heard is a desire to use existing gateway implementations of
IPsec that don't support tunnel mode well or at all due to:

>            b) A security gateway is required to support only tunnel
>               mode.  If it supports transport mode, that should be used
>               only when the security gateway is acting as a host, e.g.,
>               for network management.

Which leads to what I wrote in the original message:

> >If I were starting from a clean sheet of paper without regard to existing
> >IPsec implementations/technology/etc., I would be inclined to do as Jason
> >suggests.  However, we are not in that situation.
> >The current situation is that there is significant interest in the WG in
> >using existing IPsec systems/devices/etc. to address this area of
> >functionality;

As for new devices and existing devices:

> There are plenty of people/companies building new devices, as well.  Some
of
> those, including my company, are interested in Transport mode support.
> Your argument in the past has been "you can still do that -  its a MAY".
> I really can't agree with that when we're thinking about interop.

The WG contains both communities and "rough consensus" needs to span them.  

> The MUST/MUST language was fine.  2401 says its the right thing to do.
> The requirement for IP storage is end-to-end.  

That's back to the "clean sheet of paper" argument for those building new
devices.  I take strong exception to the argument that only IPsec transport
mode can deliver end-to-end security; security policy and distribution of
IKE authentication material is far more important and can yield end-to-end
security in tunnel mode when done right and lack of end-to-end security
in transport mode when done wrong - L2TP security is resulting in the
creation of security gateway-like entities that use transport mode among
themselves.

Thanks,
--David
---------------------------------------------------
David L. Black, Senior Technologist
EMC Corporation, 42 South St., Hopkinton, MA  01748
+1 (508) 249-6449 *NEW*      FAX: +1 (508) 497-8500
black_david@emc.com         Cell: +1 (978) 394-7754
---------------------------------------------------

Prev by Date: RE: IPSEC target and transport mode
Next by Date: RE: IPSEC target and transport mode
Prev by thread: RE: IPSEC target and transport mode
Next by thread: RE: IPSEC target and transport mode
Index(es):
- Date
- Thread

Home

Last updated: Wed Apr 03 18:18:15 2002
9464 messages in chronological order