Re: IPSEC target and transport mode

["Bernard Aboba" <bernard_aboba@hotmail.com>]

>I am very interested if some of the OS vendors out there can tell me >what 
>their plans are.  I am hoping not to have to implement IPsec on >OS driver 
>stacks for my product, in fact I would love to just use the 
> >implementations that exist on various operating system platforms as >they 
>exist today.
>
>Is there anyone who can speak for what Solaris/Windows/Linux/AIX are 
> >planning on doing in this space.

Planning? Almost all operating systems shipped support for IPsec, including 
both tunnel mode and transport mode, quite a while ago. So if it's software 
implementations you're interested in, my sense is that most implementations 
should be quite capable of being configured with a simple IPsec policy to 
protect iSCSI, iFCP or FCIP. This policy would typically look like: "use 
IPsec from me to any dest port IPS" on outbound and "require IPsec from any 
to me, dest port IPS" on inbound.

>
>I know at one point NT was not fond of tunnel mode, but prefered to 
> >implement L2TP over Transport Mode for tunneling...

To be clear, Windows 2000 and XP support tunnel mode, transport mode as well 
as IPsec/L2TP tunneling. Transport mode encapsulation works better, for the 
reasons described in 
http://www.ietf.org/internet-drafts/draft-touch-ipsec-vpn-03.txt so that 
this is not really an implementation-specific issue.


_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp.