[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: I-D ACTION:draft-ietf-ipsec-udp-encaps-05.txt

To: Steve Dispensa <dispensa@xxxxxxxxxxxxxxxxxxxx>
Subject: Re: I-D ACTION:draft-ietf-ipsec-udp-encaps-05.txt
From: Ari Huttunen <Ari.Huttunen@xxxxxxxxxxxx>
Date: Thu, 26 Dec 2002 17:48:23 +0200
Cc: ipsec@xxxxxxxxxxxxxxxxx
Organization: F-Secure Corporation
References: <> <>
Sender: owner-ipsec@xxxxxxxxxxxxxxxxx
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.0.1) Gecko/20020823 Netscape/7.0

Steve Dispensa wrote:

On Mon, 2002-12-23 at 06:55, Internet-Drafts@xxxxxxxx wrote:

A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the IP Security Protocol Working Group of the IETF.

	Title		: UDP Encapsulation of IPsec Packets
	Author(s)	: A. Huttunen et al.
	Filename	: draft-ietf-ipsec-udp-encaps-05.txt
	Pages		: 0
	Date		: 2002-12-20

This may be a typo, but the second paragraph of the introduction
states:  "It is up to the need of the clients whether transport mode or
tunnel mode is to be supported. L2TP/IPsec clients MUST support
transport mode since [RFC 3193] defines that L2TP/IPsec MUST use
transport mode], and IPsec tunnel mode clients MUST support tunnel
mode."  Note that RFC 3193 does not, in fact, require the use of
transport mode with L2TP, just that implementations support transport
mode.  (RFC 3193 section 2.1)  This is sort of cleared up in the next
sentence, but the wording should probably be fixed.


RFC 3193 seems to say "Transport mode MUST be supported; tunnel
mode MAY be supported."

We could rephrase the introduction to be something like this, because
otherwise we'd no longer even optionally support this tunnel mode
L2TP/IPsec. Or so it could be seen. At least that's what I see
was intended originally. (Note that I've not read RFC 3193 in full and
hopefully never will.)

    It is up to the need of the clients whether transport mode
    or tunnel mode is to be supported. L2TP/IPsec clients MUST support
    transport mode and MAY support tunnel mode, as defined in [RFC 3193].
    IPsec tunnel mode clients MUST support tunnel mode.

FWIW, this is a bit of a sore spot with me. We regularly use L2TP over tunnel mode due to separation of the l2tp server from the IPSEC concentrator. This creates problems on the client side (Windows users in particular) due to dumb client implementations.


Well, looks to me like those Windows clients are behaving
according to RFC 3193, by not implementing tunnel mode. Tough luck.

Ari

-sd

--
I play it cool and dig all jive,
 that's the reason I stay alive.
  My motto as I live and learn,
   is dig and be dug in return. <Langston Hughes>

Ari Huttunen                   phone: +358 9 2520 0700
Software Architect             fax  : +358 9 2520 5001

F-Secure Corporation http://www.F-Secure.com

F(ully)-Secure products: Securing the Mobile Enterprise

References:
- I-D ACTION:draft-ietf-ipsec-udp-encaps-05.txt
  - From: Internet-Drafts
- Re: I-D ACTION:draft-ietf-ipsec-udp-encaps-05.txt
  - From: Steve Dispensa

Prev by Date: Re: Proposed text changes to ESPbis and AHbis for multicast support
Next by Date: Re: Proposed text changes to ESPbis and AHbis for multicast support
Previous by thread: Re: I-D ACTION:draft-ietf-ipsec-udp-encaps-05.txt
Next by thread: Proposed text changes to ESPbis and AHbis for multicast support
Index(es):
- Date
- Thread