[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: I-D ACTION:draft-ietf-ipsec-udp-encaps-05.txt

To: Ari Huttunen <Ari.Huttunen@xxxxxxxxxxxx>
Subject: Re: I-D ACTION:draft-ietf-ipsec-udp-encaps-05.txt
From: Steve Dispensa <dispensa@xxxxxxxxxxxxxxxxxxxx>
Date: 02 Jan 2003 11:16:07 -0600
Cc: ipsec@xxxxxxxxxxxxxxxxx
In-reply-to: <3E0B24C7.2000908@F-Secure.com>
Organization: Positive Networks
References: <200212231255.HAA27622@ietf.org> <1040763337.6761.26.camel@stratocaster.positivenetworks.net> <3E0B24C7.2000908@F-Secure.com>
Sender: owner-ipsec@xxxxxxxxxxxxxxxxx

On Thu, 2002-12-26 at 09:48, Ari Huttunen wrote:
> Steve Dispensa wrote:
> > This may be a typo, but the second paragraph of the introduction
> > states:  "It is up to the need of the clients whether transport mode or
> > tunnel mode is to be supported. L2TP/IPsec clients MUST support
> > transport mode since [RFC 3193] defines that L2TP/IPsec MUST use
> > transport mode], and IPsec tunnel mode clients MUST support tunnel
> > mode."  Note that RFC 3193 does not, in fact, require the use of
> > transport mode with L2TP, just that implementations support transport
> > mode.  (RFC 3193 section 2.1)  This is sort of cleared up in the next
> > sentence, but the wording should probably be fixed.
> 
> RFC 3193 seems to say "Transport mode MUST be supported; tunnel
> mode MAY be supported."
> 
> We could rephrase the introduction to be something like this, because
> otherwise we'd no longer even optionally support this tunnel mode
> L2TP/IPsec. Or so it could be seen. At least that's what I see
> was intended originally. (Note that I've not read RFC 3193 in full and
> hopefully never will.)
> 
>      It is up to the need of the clients whether transport mode
>      or tunnel mode is to be supported. L2TP/IPsec clients MUST support
>      transport mode and MAY support tunnel mode, as defined in [RFC 3193].
>      IPsec tunnel mode clients MUST support tunnel mode.

Better; see below.

> > FWIW, this is a bit of a sore spot with me.  We regularly use L2TP over
> > tunnel mode due to separation of the l2tp server from the IPSEC
> > concentrator.  This creates problems on the client side (Windows users
> > in particular) due to dumb client implementations.  
> 
> Well, looks to me like those Windows clients are behaving
> according to RFC 3193, by not implementing tunnel mode. Tough luck.

Not incorrect, just dumb.  However, why again is tunnel mode not a
'must'?  It seems like an exception case.  No IPSEC mode is specified
for other traffic; it just matches by policy (or not).  We have singled
out L2TP as a particular traffic type for which compliant
implementations need not bother supporting tunnel mode.  Seems oddly
arbitrary, and based on an expected implementation that (for me) doesn't
work well.  

 -sd

Follow-Ups:
- Re: I-D ACTION:draft-ietf-ipsec-udp-encaps-05.txt
  - From: Stephen Kent

Prev by Date: Re: Secure legacy authentication for IKEv2
Next by Date: Re: I-D ACTION:draft-ietf-ipsec-udp-encaps-05.txt
Previous by thread: Re: "legacy" confusion (was Re: Summary of MITM attacks with legacy authentication)
Next by thread: Re: I-D ACTION:draft-ietf-ipsec-udp-encaps-05.txt
Index(es):
- Date
- Thread