|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: IPSEC target and transport modeSame question from me as Bill have stated in his email??? For VPN type of application of IPSec, one can see the need of using tunnel mode (for traffic flow confidentiality - hiding a private network behind the SG). For communications between IPS end nodes, there might be situation (intervening FW/SG) that tunnel mode IPSec is necessary. However, when those reasons do not exist, transport mode IPSec sure is the right way to go, IMHO. We should not impose the penality comes with the tunnel mode IPSec when it is not required to achieve the benefit of IPSec. What is inappropriate with MUST/MUST for both tunnel/transport mode IPSec? cj -----Original Message----- From: Bill Studenmund [mailto:wrstuden@wasabisystems.com] Sent: Saturday, April 06, 2002 4:31 PM To: Bernard Aboba Cc: Shridhar_Mukund@adaptec.com; Black_David@emc.com; ips@ece.cmu.edu; jis@mit.edu; smb@research.att.com Subject: RE: IPSEC target and transport mode On Sat, 6 Apr 2002, Bernard Aboba wrote: > >There is no need to claim compliance with "IPS security" in > >that case. The WG should not encourage this usage, if it still > >believes in the above "prime directive". > > Indeed, such usage is irrelevant to IPS security and cannot be used to > demonstrate "two interoperable implementations" where the endpoints won't be > implementing IPS protocols. > > >I hope we have all the TUNNEL qualifiers to enforce end-to-end. > > What is most interesting about this is that the folks providing software > iSCSI support operating systems, as well as HBAs and Targets seem to be > lining up for Transport mode, but so far we haven't heard much from vendors > with an interest in producing a tunnel mode endpoint product. It seems that > the interest in tunnel mode is primarily in interoperating with separate > IPsec security gateways, which is out of scope. So why are we softening the, "if you look like a host to RFC 2401, you should act like one (support both transport and tunnel)," language? I agree that we can get away with just tunnel mode (as a minimum for interoperability). I still just don't understand why people want to; what are we really saving? Take care, Bill
Home Last updated: Mon Apr 08 13:18:22 2002 9544 messages in chronological order |