RE: IPSEC target and transport mode

To: "'Bill Studenmund'" <wrstuden@wasabisystems.com>, Bernard Aboba <bernard_aboba@hotmail.com>
Subject: RE: IPSEC target and transport mode
From: "Lee, CJ" <CJ_Lee@adaptec.com>
Date: Mon, 8 Apr 2002 09:07:10 -0700
Cc: "Mukund, Shridhar" <Shridhar_Mukund@adaptec.com>, Black_David@emc.com, ips@ece.cmu.edu, jis@mit.edu, smb@research.att.com
Content-Type: text/plain
Sender: owner-ips@ece.cmu.edu

Same question from me as Bill have stated in his email???

For VPN type of application of IPSec, one can see the need of using tunnel 
mode (for traffic flow confidentiality - hiding a private network behind 
the SG).
For communications between IPS end nodes, there might be situation
(intervening
FW/SG) that tunnel mode IPSec is necessary.  However, when those reasons do
not exist, transport mode IPSec sure is the right way to go, IMHO.  We
should 
not impose the penality comes with the tunnel mode IPSec when it is not
required
to achieve the benefit of IPSec.

What is inappropriate with MUST/MUST for both tunnel/transport mode IPSec?

cj

-----Original Message-----
From: Bill Studenmund [mailto:wrstuden@wasabisystems.com]
Sent: Saturday, April 06, 2002 4:31 PM
To: Bernard Aboba
Cc: Shridhar_Mukund@adaptec.com; Black_David@emc.com; ips@ece.cmu.edu;
jis@mit.edu; smb@research.att.com
Subject: RE: IPSEC target and transport mode

On Sat, 6 Apr 2002, Bernard Aboba wrote:

> >There is no need to claim compliance with "IPS security" in
> >that case. The WG should not encourage this usage, if it still
> >believes in the above "prime directive".
>
> Indeed, such usage is irrelevant to IPS security and cannot be used to
> demonstrate "two interoperable implementations" where the endpoints won't
be
> implementing IPS protocols.
>
> >I hope we have all the TUNNEL qualifiers to enforce end-to-end.
>
> What is most interesting about this is that the folks providing software
> iSCSI support operating systems, as well as HBAs and Targets seem to be
> lining up for Transport mode, but so far we haven't heard much from
vendors
> with an interest in producing a tunnel mode endpoint product. It seems
that
> the interest in tunnel mode is primarily in interoperating with separate
> IPsec security gateways, which is out of scope.

So why are we softening the, "if you look like a host to RFC 2401, you
should act like one (support both transport and tunnel)," language? I
agree that we can get away with just tunnel mode (as a minimum for
interoperability). I still just don't understand why people want to; what
are we really saving?

Take care,

Bill

Prev by Date: RE: IPSEC target and transport mode
Next by Date: RE: IPSEC target and transport mode
Prev by thread: RE: IPSEC target and transport mode
Next by thread: RE: IPSEC target and transport mode
Index(es):
- Date
- Thread

Home

Last updated: Mon Apr 08 13:18:22 2002
9544 messages in chronological order