On 15 Nov 2011, at 10:05, Paul Wouters wrote: > On Tue, 15 Nov 2011, Frederic Detienne wrote: > >> Can you please explain your point about transport mode being bad ? We do not >> see any problem with it in real world deployments. It is quite the opposite >> actually. > > I meant the kludge where transport mode (host-host) has to deal with NAT-T > where the inner IP of the client > is used, making it kinda a tunnel mode ( internalip/32-host-host)
I see what you mean but we have found tunnel mode to be impractical in similar protocol suites but different scenarios. Transport turns out to be really efficient and elegant in our cases. This is really an implementation issue and vendors have to tune their codes to their customer's use cases. Additionally, there are many customers out there who really want to reclaim every possible byte. When the average clear text packet size is small, the overhead that tunnel imposes is significant. I would say that transport mode is actually very useful actually but really depends on your usage. >> I agree that AH is a hindrance, especially that it protects the non-mutable >> fields of the IP header and therefor prevents NAT and ToS re-marking. I.e. >> the main difference between AH and ESP_NULL is really this outer IP header >> protection which is detrimental in most practical networks. > > Yes. we've seen cellphone manufacturors that use Linux specifically patching > Openswan KLIPS to allow ToS rewriting. I think most people would agree that AH is really not a good idea. :-) > Paul > _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
