Re: [Ipsec] Applications over IPsec

Hi Stephen,

This is very interesting.

I thought because we got a superset of functionality in the tunnel mode(wrt
transport mode), we were trying to reduce the number of options we wanted to
support in IPsec by mandating support for Tunnel mode as a MUST. But if we
have applications state that Transport mode is a MUST while a Tunnel mode is
a MAY, we may have to be supporting both modes. We do not know what
applications may run on top right?

BTW, the new draft which will obsolete RFC4305 is posted at
http://www.ietf.org/internet-drafts/draft-manral-ipsec-rfc4305-bis-errata-00.txt
and any comments will be very welcome.

Thanks,
Vishwas

On 4/18/06, Stephen Kent <kent@bbn.com> wrote:
>
> At 6:09 PM -0700 4/17/06, Vishwas Manral wrote:
>
> Hi Stephen,
>
> I see issues in drafts using IPsec then:
> http://www.ietf.org/internet-drafts/draft-ietf-ospf-ospfv3-auth-08.txtstates that transport mode is a MUST and Tunnel mode is a MAY. This is more
> related to RFC4301 though.
>
> Regarding the algorithms to be supported for ESP and AH(RFC4305), I will
> add a clear recommendation for applications to use.
>
> Thanks,
>
> Vishwas
>
>
>
> yes, I am aware of the OSPFv3 security I-D.  The MUST vs. MAY re tunnel
> and transport modes does not bother me.  These folks are defining what an
> OSPF router has to do as a HOST in the routing environment, not as a
> GATEWAY. The same would be tyrue if one employed IPsec to protect BGP
> sessions.
>
> The bigger problem is that OSPF needs multicast support and we don't have
> what they need.  The MSEC WG did not provide the necessary extensions to the
> SPD and SAD to accommodate multicast uses ala OSPF. Thus the OSPF folks
> tried to make do with what was defined, and the result is not pretty.
>
> Steve
>