On 15 Nov 2011, at 10:03, Nico Williams wrote: > On Mon, Nov 14, 2011 at 7:51 PM, Frederic Detienne <f...@cisco.com> wrote: >> Can you please explain your point about transport mode being bad ? We do not >> see any problem with it in real world deployments. It is quite the opposite >> actually. > > RFC4301, section 4.1 has some text on this, though, quite frankly, I > don't think there's any reason not to use transport mode in end-to-end > and end<->GW communications, and also, for the latter, no reason that > using an IP tunnel inside transport mode ESP shouldn't work just fine > (Dan McDonald used this approach for a VPN system at Sun Microsystems > [RIP]).
Many vendors do that IP tunneling + ESP Transport and yes, this is a very fine use. This is why I questioned why "transport" was criticized. I understand the issues section 4.1 raises but these are really implementation and network design issue again. Once tunnels are being used, the whole security aspect is actually factored into the overlay network design. The whole comment there apply to a pure IPsec Security Gateway. The section would really deserve to be either deflated altogether or augmented with a use case (c) where the Security Gateway has other network and security mechanisms to meet the security requirements. >> I agree that AH is a hindrance, especially that it protects the non-mutable >> fields of the IP header and therefor prevents NAT and ToS re-marking. I.e. >> the main difference between AH and ESP_NULL is really this outer IP header >> protection which is detrimental in most practical networks. > > Yes, this is why we all dislike AH. It will be hard to find someone to defend AH :-) I still would be happy to hear if someone has a good argument. fred > Nico > -- > _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec