[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Remove tunnel mode from ipsec-tunnels-02?

To: Fred Baker <fred@cisco.com>
Subject: Re: Remove tunnel mode from ipsec-tunnels-02?
From: Pekka Savola <pekkas@netcore.fi>
Date: Mon, 11 Sep 2006 13:49:11 +0300 (EEST)
Cc: v6ops@ops.ietf.org
In-reply-to: <3DD28C2C-441B-41BF-BA51-97CAD82276F0@cisco.com>
References: <Pine.LNX.4.64.0607121659020.31877@netcore.fi> <Pine.LNX.4.64.0609010813170.11225@netcore.fi> <D116E219-359A-4E24-8857-F018EFFCF0AA@cisco.com> <Pine.LNX.4.64.0609071040110.21796@netcore.fi> <D64ED76E-280F-4589-B4DD-744EA211390F@cisco.com> <Pine.LNX.4.64.0609091941300.9273@netcore.fi> <3DD28C2C-441B-41BF-BA51-97CAD82276F0@cisco.com>

I reordered the response to get the most important bits first. As Isuspected, we've been in full agreement about the issue all along, buthave disagreed about what "tunnel mode" means,

On Sun, 10 Sep 2006, Fred Baker wrote:

As RFC 4303 uses the terms, I don't think you can support the claim thatTransport Mode can be implemented by positioning an interior IP header. Itmay be that the thing that you are trying to excise is in fact that usage -transport mode being applied between tunnel endpoints around other kinds oftunnels.
In any event, I don't expect people to stop using L2TP to provide a tunnelservice, or GRE as a way to overlay CE-CE VPNs.

I don't expect either, which is why we're describing how to protectsuch tunnels with IPsec using transport mode. That's actually why GREand L2TP specifications either mandate supporting transport mode(while tunnel mode is a MAY) or specify that transport mode SHOULD beused. See e.g. RFC4023 section 8.1 and RFC 3193.

And the rest, if it's still relevant,

I think we're in full agreement about the fundamental issue: there shouldbe an inner IP header that's protected by IPsec. The point is that it canbe provided either by transport or tunnel mode, and based on our analysis'tunnel mode' is a more constrained way of making such a tunnel andtherefore less preferred.
I would encourage you to not look at presentations, but at the controllingspecifications, for the use of the term. Specifically I'm thinking about RFC4303, which very explicitly defines tunnel mode as having an interior IPheader (section 3.1.2) and transport mode as proceeding end to end withoutusing an interior header (section 3.1.1).
[...]

That misses the point. Transport mode is applied "end to end" but theendpoints of a transport mode-protected tunnel are the tunnelendpoints so it is in end-to-end (with encapsulator/decapsulator beingthe endpoints). Also, while one could correctly say "The next-headerof an IPsec ESP header is an interior IP header if the IPsec SA istunnel mode" you cannot substitute "if" with "if and only if".

--
Pekka Savola                 "You each name yourselves king, yet the
Netcore Oy                    kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings

References:
- Remove tunnel mode from ipsec-tunnels-02?
  - From: Pekka Savola <pekkas@netcore.fi>
- Re: Remove tunnel mode from ipsec-tunnels-02?
  - From: Pekka Savola <pekkas@netcore.fi>
- Re: Remove tunnel mode from ipsec-tunnels-02?
  - From: Fred Baker <fred@cisco.com>
- Re: Remove tunnel mode from ipsec-tunnels-02?
  - From: Pekka Savola <pekkas@netcore.fi>
- Re: Remove tunnel mode from ipsec-tunnels-02?
  - From: Fred Baker <fred@cisco.com>
- Re: Remove tunnel mode from ipsec-tunnels-02?
  - From: Pekka Savola <pekkas@netcore.fi>
- Re: Remove tunnel mode from ipsec-tunnels-02?
  - From: Fred Baker <fred@cisco.com>

Prev by Date: Re: [netlmm] Dual Stack Moving Internet (DSMI)
Next by Date: Re: Remove tunnel mode from ipsec-tunnels-02?
Previous by thread: Re: Remove tunnel mode from ipsec-tunnels-02?
Next by thread: Re: Remove tunnel mode from ipsec-tunnels-02?
Index(es):
- Date
- Thread