[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: 2401bis issues (possible) resolution

In message <3F8329A2.60302@xxxxxxx>, Joe Touch writes:
>The key issue we feel needs to be addressed is RFC2003 tunneled traffic, 
>not traffic on a 'link' in general. Packets using 2003-style tunnels at 
>a gateway originate and/or terminate at that gateway, and as such, are 
>hosts for the purposes of IPsec conformance (for that tunnel). Thus 
>RFC2401 already permits the use of transport mode on this traffic.

That is a different issue from what the text in #50 describes.

>It might be more specific to indicate that:
>For traffic originating or terminating at a gateway, that gateway MUST 
>support the functions of an IPsec host. In particular, traffic 
>originating or terminating at that gateway that is tunneled over 
>non-IPsec mechanisms (e.g, RFC2003) MAY use transport mode. A gateway 
>that originates or terminates packets tunneled over non-IPsec 
>mechanisms, for the purposes of that tunnel, MUST follow the IPsec host 
>requirements rather than the IPsec gateway requirements.
>Permitting the use of transport mode in this context goes specifically 
>to the interaction between IPsec and RFC2003 tunnels, making it a 
>protocol issue rather than merely an implementation issue.

This is a much more modest proposal than #50, which effectively allows a
gateway to insert an ESP header on another IP packet without doing tunneling.