SORT BY:

LIST ORDER
THREAD
AUTHOR
SUBJECT


SEARCH

IPS HOME


    [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

    RE: IPSEC target and transport mode



    Same question from me as Bill have stated in his email???
    
    For VPN type of application of IPSec, one can see the need of using tunnel 
    mode (for traffic flow confidentiality - hiding a private network behind 
    the SG).
    For communications between IPS end nodes, there might be situation
    (intervening
    FW/SG) that tunnel mode IPSec is necessary.  However, when those reasons do
    not exist, transport mode IPSec sure is the right way to go, IMHO.  We
    should 
    not impose the penality comes with the tunnel mode IPSec when it is not
    required
    to achieve the benefit of IPSec.
    
    What is inappropriate with MUST/MUST for both tunnel/transport mode IPSec?
    
    cj
    
    -----Original Message-----
    From: Bill Studenmund [mailto:wrstuden@wasabisystems.com]
    Sent: Saturday, April 06, 2002 4:31 PM
    To: Bernard Aboba
    Cc: Shridhar_Mukund@adaptec.com; Black_David@emc.com; ips@ece.cmu.edu;
    jis@mit.edu; smb@research.att.com
    Subject: RE: IPSEC target and transport mode
    
    
    On Sat, 6 Apr 2002, Bernard Aboba wrote:
    
    > >There is no need to claim compliance with "IPS security" in
    > >that case. The WG should not encourage this usage, if it still
    > >believes in the above "prime directive".
    >
    > Indeed, such usage is irrelevant to IPS security and cannot be used to
    > demonstrate "two interoperable implementations" where the endpoints won't
    be
    > implementing IPS protocols.
    >
    > >I hope we have all the TUNNEL qualifiers to enforce end-to-end.
    >
    > What is most interesting about this is that the folks providing software
    > iSCSI support operating systems, as well as HBAs and Targets seem to be
    > lining up for Transport mode, but so far we haven't heard much from
    vendors
    > with an interest in producing a tunnel mode endpoint product. It seems
    that
    > the interest in tunnel mode is primarily in interoperating with separate
    > IPsec security gateways, which is out of scope.
    
    So why are we softening the, "if you look like a host to RFC 2401, you
    should act like one (support both transport and tunnel)," language? I
    agree that we can get away with just tunnel mode (as a minimum for
    interoperability). I still just don't understand why people want to; what
    are we really saving?
    
    Take care,
    
    Bill
    


Home

Last updated: Mon Apr 08 13:18:22 2002
9544 messages in chronological order