|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: IPSEC target and transport mode> What is inappropriate with MUST/MUST for both > tunnel/transport mode IPSec? One more required mode than is necessary for interoperation. See RFC 2119 Section 6. Thanks, --David --------------------------------------------------- David L. Black, Senior Technologist EMC Corporation, 42 South St., Hopkinton, MA 01748 +1 (508) 249-6449 *NEW* FAX: +1 (508) 497-8500 black_david@emc.com Cell: +1 (978) 394-7754 --------------------------------------------------- > -----Original Message----- > From: Lee, CJ [mailto:CJ_Lee@adaptec.com] > Sent: Monday, April 08, 2002 12:07 PM > To: 'Bill Studenmund'; Bernard Aboba > Cc: Mukund, Shridhar; Black_David@emc.com; ips@ece.cmu.edu; > jis@mit.edu; > smb@research.att.com > Subject: RE: IPSEC target and transport mode > > > Same question from me as Bill have stated in his email??? > > For VPN type of application of IPSec, one can see the need of > using tunnel > mode (for traffic flow confidentiality - hiding a private > network behind > the SG). > For communications between IPS end nodes, there might be situation > (intervening > FW/SG) that tunnel mode IPSec is necessary. However, when > those reasons do > not exist, transport mode IPSec sure is the right way to go, IMHO. We > should > not impose the penality comes with the tunnel mode IPSec when > it is not > required > to achieve the benefit of IPSec. > > What is inappropriate with MUST/MUST for both > tunnel/transport mode IPSec? > > cj > > -----Original Message----- > From: Bill Studenmund [mailto:wrstuden@wasabisystems.com] > Sent: Saturday, April 06, 2002 4:31 PM > To: Bernard Aboba > Cc: Shridhar_Mukund@adaptec.com; Black_David@emc.com; ips@ece.cmu.edu; > jis@mit.edu; smb@research.att.com > Subject: RE: IPSEC target and transport mode > > > On Sat, 6 Apr 2002, Bernard Aboba wrote: > > > >There is no need to claim compliance with "IPS security" in > > >that case. The WG should not encourage this usage, if it still > > >believes in the above "prime directive". > > > > Indeed, such usage is irrelevant to IPS security and cannot > be used to > > demonstrate "two interoperable implementations" where the > endpoints won't > be > > implementing IPS protocols. > > > > >I hope we have all the TUNNEL qualifiers to enforce end-to-end. > > > > What is most interesting about this is that the folks > providing software > > iSCSI support operating systems, as well as HBAs and > Targets seem to be > > lining up for Transport mode, but so far we haven't heard much from > vendors > > with an interest in producing a tunnel mode endpoint > product. It seems > that > > the interest in tunnel mode is primarily in interoperating > with separate > > IPsec security gateways, which is out of scope. > > So why are we softening the, "if you look like a host to RFC 2401, you > should act like one (support both transport and tunnel)," language? I > agree that we can get away with just tunnel mode (as a minimum for > interoperability). I still just don't understand why people > want to; what > are we really saving? > > Take care, > > Bill >
Home Last updated: Mon Apr 08 13:18:22 2002 9544 messages in chronological order |