[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Remove tunnel mode from ipsec-tunnels-02?

To: Fred Baker <fred@cisco.com>
Subject: Re: Remove tunnel mode from ipsec-tunnels-02?
From: Pekka Savola <pekkas@netcore.fi>
Date: Thu, 7 Sep 2006 10:57:29 +0300 (EEST)
Cc: v6ops@ops.ietf.org
In-reply-to: <D116E219-359A-4E24-8857-F018EFFCF0AA@cisco.com>
References: <Pine.LNX.4.64.0607121659020.31877@netcore.fi> <Pine.LNX.4.64.0609010813170.11225@netcore.fi> <D116E219-359A-4E24-8857-F018EFFCF0AA@cisco.com>

On Wed, 6 Sep 2006, Fred Baker wrote:

given that there are significant networks that operate in tunnel mode,including both corporate VPNs and military networks that use tunnel modebetween encryption devices with a specific view to hiding interior addressingand therefore military asset distribution from prying eyes, this proposalseem profoundly silly.

Our assumption has been that transport mode is applied to a tunnelinterface (such as IPv6-in-IPv4, GRE etc). That hides the inneraddresses from those observers that would have been on-path in thetunnel.

When IPsec tunnel mode is _NOT_ modelled as an interface, then this isOK though IMHO suboptimal because you cannot in practice run neighbordiscovery, routing protocols, multicast etc. over such tunnels. Dueto the link-local issues mentioned previously, tunnel mode is notsomething we can recommend when it's modelled as an interface.

If there is something you disagree with in the above two paragraphs,maybe you should clarify what the deployment looks like, because thereare a lot of different variations how IPsec could be applied:

 a) transport mode in host-to-host mode (end-to-end IPsec)

b) transport mode when applied to an IP tunnel interface (e.g.,between security gateways or a security gateway and a node)

 c) tunnel mode, not modelled as an interface
 d) tunnel mode, modelled as an interface

a) is out of scope of this document. b) seems best option by far. c)can also work but has more more limited applicability as routingprotocols, multicast, etc. don't work. There is no interoperablestandards solution for d) that wouldn't break IPv6 architecture henceit's non-starter.

Maybe you could remind us why the v6ops working group is supposed to beoverriding the recommendation of the ipsec working group on how security issupposed to work based on what is convenient to IPv6?

I don't see what's being overridden. IPsec architecture allows theuse of transport mode between a node and a security gateway. If theuse of tunnel mode is suboptimal, I don't see it as a problem torecommend another approach instead.

--
Pekka Savola                 "You each name yourselves king, yet the
Netcore Oy                    kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings

Follow-Ups:
- Re: Remove tunnel mode from ipsec-tunnels-02?
  - From: Fred Baker <fred@cisco.com>

References:
- Remove tunnel mode from ipsec-tunnels-02?
  - From: Pekka Savola <pekkas@netcore.fi>
- Re: Remove tunnel mode from ipsec-tunnels-02?
  - From: Pekka Savola <pekkas@netcore.fi>
- Re: Remove tunnel mode from ipsec-tunnels-02?
  - From: Fred Baker <fred@cisco.com>

Prev by Date: AW: Remove tunnel mode from ipsec-tunnels-02?
Next by Date: Dual Stack Moving Internet (DSMI)
Previous by thread: AW: Remove tunnel mode from ipsec-tunnels-02?
Next by thread: Re: Remove tunnel mode from ipsec-tunnels-02?
Index(es):
- Date
- Thread