[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Remove tunnel mode from ipsec-tunnels-02?

On Sep 10, 2006, at 1:12 AM, Pekka Savola wrote:
It seems you're using the term 'tunnel mode' to refer to any kind of IPsec protected session where there is a separate inner header that is protected by IPsec. AFAICS, in IPsec specifications 'tunnel mode' has a more constrained meaning. In particular, transport mode IPsec SA may or may not have an inner IP header, depending on what kind of traffic transport mode is applied to. So, transport mode can be used to build tunnels with the properties you seek.
The key difference when tunneling is whether IPsec itself performs the tunneling operation (i.e., tunnel mode SA), or whether IPsec is applied to a tunnel interface, resulting in an outer and inner IP header (ie., transport mode SA). In both cases the inner addresses are protected by IPsec.
I think we're in full agreement about the fundamental issue: there should be an inner IP header that's protected by IPsec. The point is that it can be provided either by transport or tunnel mode, and based on our analysis 'tunnel mode' is a more constrained way of making such a tunnel and therefore less preferred.
I would encourage you to not look at presentations, but at the controlling specifications, for the use of the term. Specifically I'm thinking about RFC 4303, which very explicitly defines tunnel mode as having an interior IP header (section 3.1.2) and transport mode as proceeding end to end without using an interior header (section 3.1.1). I agree that using the term "tunnel mode" to describe other ways to place the interior header into the message are murkier (one could argue that ip-in-l2tp/gre-in-ip is running transport mode in each case from RFC 4303's definition, but RFC 3456 describes it as being in "tunnel mode" because it is within a tunnel).
As RFC 4303 uses the terms, I don't think you can support the claim that Transport Mode can be implemented by positioning an interior IP header. It may be that the thing that you are trying to excise is in fact that usage - transport mode being applied between tunnel endpoints around other kinds of tunnels.
In any event, I don't expect people to stop using L2TP to provide a tunnel service, or GRE as a way to overlay CE-CE VPNs.