RE: IPSEC target and transport mode

To: Todd_Sperry@adaptec.com, ips@ece.cmu.edu
Subject: RE: IPSEC target and transport mode
From: Black_David@emc.com
Date: Wed, 3 Apr 2002 18:31:17 -0500
Content-Type: text/plain;charset="iso-8859-1"
Sender: owner-ips@ece.cmu.edu

> > What I've heard is a desire to use existing gateway implementations of
> > IPsec that don't support tunnel mode well or at all due to:
>                             ^^^^^
> Did you mean to say transport?

Yes, mea culpa.

> Again, I believe thats the case - but I don't believe thats
> sufficient reason to override 2401.
> 
> > The WG contains both communities and "rough consensus" needs to span
them.
>
> Agreed.  The concensus in the IPSec WG is MUST/MUST.  2401
> says so.

It is my understanding that neither the ipsec WG nor the Security ADs
have any problem with us departing from 2401 in this area.

> We had a unanimous vote in HB for the same thing.  We
> did not have that in Minn.

As I said, I twisted arms in HB.  I've learned my lesson and will
try not to do that again ;-).

> > I take strong exception to the argument that only IPsec transport
> > mode can deliver end-to-end security;
> 
> Agreed.  I never said it was not possible - I only alluded to
> our preference to achieving the host/host scenerio using 
> Transport mode.
> 
> There's no reason that I know of to lock out Transport mode. 
> 2401 does not require gateways to use/implement it.

I don't understand how one gets from "MAY implement" to "lock out".
If the proposal were "MUST NOT implement", a complaint about "lock out"
would be a reasonable position, but that's not the proposal.  There is
even text being added to the IPS security draft (and hence to the iSCSI
draft, I hope) to clean up some potential interoperability problems that
RFC 2407 could create in this area.
 
> Give transport mode a chance.  I'm hearing that we have allowed
> 2 weeks for draft completion of  CHAP+DH.  I'm assuming there
> will be a vote.

That's "vote" in some sort of quotes.  In practice it's based on
following discussion on the list.  Far more attention is paid to those
stating sound technical reasons than those saying "I vote XXX".

> Let's take a vote on MUST/MUST as well.  Then,
> let's get on with last call.

Indeed.  I started the discussion on this issue over a week ago,
so it is now time to close it and move on.  Based on that discussion
I believe the IPS WG rough consensus is "MUST implement" tunnel mode,
and "MAY implement" transport mode.  In looking over the discussion,
I see that:
	- Bill Stundemund has withdrawn his objection
	- Jason Thorpe has accepted a sentence involving a
		"should" for use of transport mode when performance
		(number of bytes transmitted) is a concern.
	- I believe that sentence also resolves John Hufferd's
		performance-based objection.
	- That leaves Todd Sperry's objection
Hence I call this consensus for "MUST implement" tunnel mode and
"MAY implement" transport mode over Todd Sperry's objection.

Thanks,
--David
---------------------------------------------------
David L. Black, Senior Technologist
EMC Corporation, 42 South St., Hopkinton, MA  01748
+1 (508) 249-6449 *NEW*      FAX: +1 (508) 497-8500
black_david@emc.com         Cell: +1 (978) 394-7754
---------------------------------------------------

Follow-Ups:
- RE: IPSEC target and transport mode
  - From: Bill Studenmund <wrstuden@wasabisystems.com>

Prev by Date: RE: IPSEC target and transport mode
Next by Date: Re: iSCSI: SRP vs DH-CHAP
Prev by thread: RE: IPSEC target and transport mode
Next by thread: RE: IPSEC target and transport mode
Index(es):
- Date
- Thread

Home

Last updated: Thu Apr 04 17:18:22 2002
9506 messages in chronological order