SORT BY:

LIST ORDER
THREAD
AUTHOR
SUBJECT


SEARCH

IPS HOME


    [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

    RE: IPSEC target and transport mode



    > What is inappropriate with MUST/MUST for both
    > tunnel/transport mode IPSec?
    
    One more required mode than is necessary for interoperation.
    See RFC 2119 Section 6.
    
    Thanks,
    --David
    ---------------------------------------------------
    David L. Black, Senior Technologist
    EMC Corporation, 42 South St., Hopkinton, MA  01748
    +1 (508) 249-6449 *NEW*      FAX: +1 (508) 497-8500
    black_david@emc.com         Cell: +1 (978) 394-7754
    ---------------------------------------------------
    
    
    > -----Original Message-----
    > From: Lee, CJ [mailto:CJ_Lee@adaptec.com]
    > Sent: Monday, April 08, 2002 12:07 PM
    > To: 'Bill Studenmund'; Bernard Aboba
    > Cc: Mukund, Shridhar; Black_David@emc.com; ips@ece.cmu.edu; 
    > jis@mit.edu;
    > smb@research.att.com
    > Subject: RE: IPSEC target and transport mode
    > 
    > 
    > Same question from me as Bill have stated in his email???
    > 
    > For VPN type of application of IPSec, one can see the need of 
    > using tunnel 
    > mode (for traffic flow confidentiality - hiding a private 
    > network behind 
    > the SG).
    > For communications between IPS end nodes, there might be situation
    > (intervening
    > FW/SG) that tunnel mode IPSec is necessary.  However, when 
    > those reasons do
    > not exist, transport mode IPSec sure is the right way to go, IMHO.  We
    > should 
    > not impose the penality comes with the tunnel mode IPSec when 
    > it is not
    > required
    > to achieve the benefit of IPSec.
    > 
    > What is inappropriate with MUST/MUST for both 
    > tunnel/transport mode IPSec?
    > 
    > cj
    > 
    > -----Original Message-----
    > From: Bill Studenmund [mailto:wrstuden@wasabisystems.com]
    > Sent: Saturday, April 06, 2002 4:31 PM
    > To: Bernard Aboba
    > Cc: Shridhar_Mukund@adaptec.com; Black_David@emc.com; ips@ece.cmu.edu;
    > jis@mit.edu; smb@research.att.com
    > Subject: RE: IPSEC target and transport mode
    > 
    > 
    > On Sat, 6 Apr 2002, Bernard Aboba wrote:
    > 
    > > >There is no need to claim compliance with "IPS security" in
    > > >that case. The WG should not encourage this usage, if it still
    > > >believes in the above "prime directive".
    > >
    > > Indeed, such usage is irrelevant to IPS security and cannot 
    > be used to
    > > demonstrate "two interoperable implementations" where the 
    > endpoints won't
    > be
    > > implementing IPS protocols.
    > >
    > > >I hope we have all the TUNNEL qualifiers to enforce end-to-end.
    > >
    > > What is most interesting about this is that the folks 
    > providing software
    > > iSCSI support operating systems, as well as HBAs and 
    > Targets seem to be
    > > lining up for Transport mode, but so far we haven't heard much from
    > vendors
    > > with an interest in producing a tunnel mode endpoint 
    > product. It seems
    > that
    > > the interest in tunnel mode is primarily in interoperating 
    > with separate
    > > IPsec security gateways, which is out of scope.
    > 
    > So why are we softening the, "if you look like a host to RFC 2401, you
    > should act like one (support both transport and tunnel)," language? I
    > agree that we can get away with just tunnel mode (as a minimum for
    > interoperability). I still just don't understand why people 
    > want to; what
    > are we really saving?
    > 
    > Take care,
    > 
    > Bill
    > 
    


Home

Last updated: Mon Apr 08 13:18:22 2002
9544 messages in chronological order