On Mon, Nov 14, 2011 at 7:51 PM, Frederic Detienne <f...@cisco.com> wrote: > Can you please explain your point about transport mode being bad ? We do not > see any problem with it in real world deployments. It is quite the opposite > actually.
RFC4301, section 4.1 has some text on this, though, quite frankly, I don't think there's any reason not to use transport mode in end-to-end and end<->GW communications, and also, for the latter, no reason that using an IP tunnel inside transport mode ESP shouldn't work just fine (Dan McDonald used this approach for a VPN system at Sun Microsystems [RIP]). > I agree that AH is a hindrance, especially that it protects the non-mutable > fields of the IP header and therefor prevents NAT and ToS re-marking. I.e. > the main difference between AH and ESP_NULL is really this outer IP header > protection which is detrimental in most practical networks. Yes, this is why we all dislike AH. Nico -- _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
