RE: IPSEC target and transport mode

[Bill Studenmund <wrstuden@wasabisystems.com>]

On Sat, 6 Apr 2002, Bernard Aboba wrote:

> >There is no need to claim compliance with "IPS security" in
> >that case. The WG should not encourage this usage, if it still
> >believes in the above "prime directive".
>
> Indeed, such usage is irrelevant to IPS security and cannot be used to
> demonstrate "two interoperable implementations" where the endpoints won't be
> implementing IPS protocols.
>
> >I hope we have all the TUNNEL qualifiers to enforce end-to-end.
>
> What is most interesting about this is that the folks providing software
> iSCSI support operating systems, as well as HBAs and Targets seem to be
> lining up for Transport mode, but so far we haven't heard much from vendors
> with an interest in producing a tunnel mode endpoint product. It seems that
> the interest in tunnel mode is primarily in interoperating with separate
> IPsec security gateways, which is out of scope.

So why are we softening the, "if you look like a host to RFC 2401, you
should act like one (support both transport and tunnel)," language? I
agree that we can get away with just tunnel mode (as a minimum for
interoperability). I still just don't understand why people want to; what
are we really saving?

Take care,

Bill