[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: 2401bis issues (possible) resolution
In message <3F8329A2.60302@xxxxxxx>, Joe Touch writes:
>The key issue we feel needs to be addressed is RFC2003 tunneled traffic,
>not traffic on a 'link' in general. Packets using 2003-style tunnels at
>a gateway originate and/or terminate at that gateway, and as such, are
>hosts for the purposes of IPsec conformance (for that tunnel). Thus
>RFC2401 already permits the use of transport mode on this traffic.
That is a different issue from what the text in #50 describes.
>It might be more specific to indicate that:
>For traffic originating or terminating at a gateway, that gateway MUST
>support the functions of an IPsec host. In particular, traffic
>originating or terminating at that gateway that is tunneled over
>non-IPsec mechanisms (e.g, RFC2003) MAY use transport mode. A gateway
>that originates or terminates packets tunneled over non-IPsec
>mechanisms, for the purposes of that tunnel, MUST follow the IPsec host
>requirements rather than the IPsec gateway requirements.
>Permitting the use of transport mode in this context goes specifically
>to the interaction between IPsec and RFC2003 tunnels, making it a
>protocol issue rather than merely an implementation issue.
This is a much more modest proposal than #50, which effectively allows a
gateway to insert an ESP header on another IP packet without doing tunneling.