SORT BY:

LIST ORDER
THREAD
AUTHOR
SUBJECT


SEARCH

IPS HOME


    [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

    RE: IPSEC target and transport mode



    > > What I've heard is a desire to use existing gateway implementations of
    > > IPsec that don't support tunnel mode well or at all due to:
    >                             ^^^^^
    > Did you mean to say transport?
    
    Yes, mea culpa.
    
    > Again, I believe thats the case - but I don't believe thats
    > sufficient reason to override 2401.
    > 
    > > The WG contains both communities and "rough consensus" needs to span
    them.
    >
    > Agreed.  The concensus in the IPSec WG is MUST/MUST.  2401
    > says so.
    
    It is my understanding that neither the ipsec WG nor the Security ADs
    have any problem with us departing from 2401 in this area.
    
    > We had a unanimous vote in HB for the same thing.  We
    > did not have that in Minn.
    
    As I said, I twisted arms in HB.  I've learned my lesson and will
    try not to do that again ;-).
    
    > > I take strong exception to the argument that only IPsec transport
    > > mode can deliver end-to-end security;
    > 
    > Agreed.  I never said it was not possible - I only alluded to
    > our preference to achieving the host/host scenerio using 
    > Transport mode.
    > 
    > There's no reason that I know of to lock out Transport mode. 
    > 2401 does not require gateways to use/implement it.
    
    I don't understand how one gets from "MAY implement" to "lock out".
    If the proposal were "MUST NOT implement", a complaint about "lock out"
    would be a reasonable position, but that's not the proposal.  There is
    even text being added to the IPS security draft (and hence to the iSCSI
    draft, I hope) to clean up some potential interoperability problems that
    RFC 2407 could create in this area.
     
    > Give transport mode a chance.  I'm hearing that we have allowed
    > 2 weeks for draft completion of  CHAP+DH.  I'm assuming there
    > will be a vote.
    
    That's "vote" in some sort of quotes.  In practice it's based on
    following discussion on the list.  Far more attention is paid to those
    stating sound technical reasons than those saying "I vote XXX".
    
    > Let's take a vote on MUST/MUST as well.  Then,
    > let's get on with last call.
    
    Indeed.  I started the discussion on this issue over a week ago,
    so it is now time to close it and move on.  Based on that discussion
    I believe the IPS WG rough consensus is "MUST implement" tunnel mode,
    and "MAY implement" transport mode.  In looking over the discussion,
    I see that:
    	- Bill Stundemund has withdrawn his objection
    	- Jason Thorpe has accepted a sentence involving a
    		"should" for use of transport mode when performance
    		(number of bytes transmitted) is a concern.
    	- I believe that sentence also resolves John Hufferd's
    		performance-based objection.
    	- That leaves Todd Sperry's objection
    Hence I call this consensus for "MUST implement" tunnel mode and
    "MAY implement" transport mode over Todd Sperry's objection.
    
    Thanks,
    --David
    ---------------------------------------------------
    David L. Black, Senior Technologist
    EMC Corporation, 42 South St., Hopkinton, MA  01748
    +1 (508) 249-6449 *NEW*      FAX: +1 (508) 497-8500
    black_david@emc.com         Cell: +1 (978) 394-7754
    ---------------------------------------------------
    


Home

Last updated: Thu Apr 04 17:18:22 2002
9506 messages in chronological order