arch-07 and protocol mode stored in SAD? Why?

[Markku Savela <msa@anise.tte.vtt.fi>]

In draft-ietf-ipsec-arch-sec-07, "4.4.3 Security Association Database
(SAD)"  (page 24), in the list of required SAD fields, there is this
"IPsec protocol mode", and I am wondering why?

1) There is no way to set this field from PFKEY, as far as I can see
   (unless one takes a hint from presence of a PROXY_ADDRESS
   extension, but even then it would leave open how to choose between
   "wildcard" and "transport")

2) in my "legacy implementation", the tunneling controlled by the
   policy definion, and this seems to be quite working solution.

Again, one of the issues where Policy and SAD are getting
mixed/confused?

But anyway, it would seem that the description of the
tunnel/wildcard/transport mode would not belong to SAD, but into SPD
and bundles.

On conformance, I doubt there is any way to detect from outside,
whether I implement this on SAD, or in SPD.

Now, looking at all the description about how to do tunneling, I am
starting to wonder whether I do it right, when I do it simple and
totally independent of the ESP or AH, eg... for each bundle

Step. 1. Apply general tunnel (IPIP) to packet (if the bundle
	specifies a tunnel, e.g. my policy tells when to tunnel or
	not, SA knows nothing about it)

Step. 2. Apply ESP or AH to packet (these don't care what the
	next protocol is, work equally well with IPIP and any other
	protocols) 

-- 
Markku Savela (msa@hemuli.tte.vtt.fi), Technical Research Centre of Finland
Multimedia Systems, P.O.Box 1203,FIN-02044 VTT,http://www.vtt.fi/tte/staff/msa/