RE: IPSEC target and transport mode

To: CJ_Lee@adaptec.com
Subject: RE: IPSEC target and transport mode
From: Black_David@emc.com
Date: Mon, 8 Apr 2002 12:15:57 -0400
Cc: ips@ece.cmu.edu
Content-Type: text/plain;charset="iso-8859-1"
Sender: owner-ips@ece.cmu.edu

> What is inappropriate with MUST/MUST for both
> tunnel/transport mode IPSec?

One more required mode than is necessary for interoperation.
See RFC 2119 Section 6.

Thanks,
--David
---------------------------------------------------
David L. Black, Senior Technologist
EMC Corporation, 42 South St., Hopkinton, MA  01748
+1 (508) 249-6449 *NEW*      FAX: +1 (508) 497-8500
black_david@emc.com         Cell: +1 (978) 394-7754
---------------------------------------------------


> -----Original Message-----
> From: Lee, CJ [mailto:CJ_Lee@adaptec.com]
> Sent: Monday, April 08, 2002 12:07 PM
> To: 'Bill Studenmund'; Bernard Aboba
> Cc: Mukund, Shridhar; Black_David@emc.com; ips@ece.cmu.edu; 
> jis@mit.edu;
> smb@research.att.com
> Subject: RE: IPSEC target and transport mode
> 
> 
> Same question from me as Bill have stated in his email???
> 
> For VPN type of application of IPSec, one can see the need of 
> using tunnel 
> mode (for traffic flow confidentiality - hiding a private 
> network behind 
> the SG).
> For communications between IPS end nodes, there might be situation
> (intervening
> FW/SG) that tunnel mode IPSec is necessary.  However, when 
> those reasons do
> not exist, transport mode IPSec sure is the right way to go, IMHO.  We
> should 
> not impose the penality comes with the tunnel mode IPSec when 
> it is not
> required
> to achieve the benefit of IPSec.
> 
> What is inappropriate with MUST/MUST for both 
> tunnel/transport mode IPSec?
> 
> cj
> 
> -----Original Message-----
> From: Bill Studenmund [mailto:wrstuden@wasabisystems.com]
> Sent: Saturday, April 06, 2002 4:31 PM
> To: Bernard Aboba
> Cc: Shridhar_Mukund@adaptec.com; Black_David@emc.com; ips@ece.cmu.edu;
> jis@mit.edu; smb@research.att.com
> Subject: RE: IPSEC target and transport mode
> 
> 
> On Sat, 6 Apr 2002, Bernard Aboba wrote:
> 
> > >There is no need to claim compliance with "IPS security" in
> > >that case. The WG should not encourage this usage, if it still
> > >believes in the above "prime directive".
> >
> > Indeed, such usage is irrelevant to IPS security and cannot 
> be used to
> > demonstrate "two interoperable implementations" where the 
> endpoints won't
> be
> > implementing IPS protocols.
> >
> > >I hope we have all the TUNNEL qualifiers to enforce end-to-end.
> >
> > What is most interesting about this is that the folks 
> providing software
> > iSCSI support operating systems, as well as HBAs and 
> Targets seem to be
> > lining up for Transport mode, but so far we haven't heard much from
> vendors
> > with an interest in producing a tunnel mode endpoint 
> product. It seems
> that
> > the interest in tunnel mode is primarily in interoperating 
> with separate
> > IPsec security gateways, which is out of scope.
> 
> So why are we softening the, "if you look like a host to RFC 2401, you
> should act like one (support both transport and tunnel)," language? I
> agree that we can get away with just tunnel mode (as a minimum for
> interoperability). I still just don't understand why people 
> want to; what
> are we really saving?
> 
> Take care,
> 
> Bill
>

Prev by Date: RE: IPSEC target and transport mode
Next by Date: Re: ISCSI: Unsolicited data in draft v12
Prev by thread: RE: IPSEC target and transport mode
Next by thread: Identifying Initiator
Index(es):
- Date
- Thread

Home

Last updated: Mon Apr 08 13:18:22 2002
9544 messages in chronological order