[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Remove tunnel mode from ipsec-tunnels-02?



Hi Fred and Pekka,

> I would encourage you to not look at presentations, but at the
> controlling specifications, for the use of the term. Specifically I'm
> thinking about RFC 4303, which very explicitly defines tunnel mode as
> having an interior IP header (section 3.1.2) and transport mode as
> proceeding end to end without using an interior header (section
> 3.1.1).

I believe the only use of "end-to-end" in 4303 refers to transport mode
where IPv6 is the outermost header. The IPsec WG recognized that 4303 and
4301 were not totally aligned when they were published. 4301 says:

When security is
desired between two intermediate systems along a path (vs. end-to-end
use of IPsec), transport mode MAY be used between security gateways
or between a security gateway and a host. In the case where
transport mode is used between security gateways or between a
security gateway and a host, transport mode may be used to support
in-IP tunneling (e.g., IP-in-IP [Per96] or Generic Routing
Encapsulation (GRE) tunneling [FaLiHaMeTr00] or dynamic routing
[ToEgWa04]) over transport mode SAs.

In my view, this paragraph almost encourages us to use transport mode in
this application.

Regards, Rich