On Sun, 3 May 2020, Christian Hopps wrote:
An open issue we have for IPTFS is the use of transport mode.
During the last face-to-face IETF meeting transport mode was mentioned, and
my response had been that transport mode was less secure than non-TFS tunnel
mode as the IP header was leaking user information so it hadn't been a
consideration for us; however, it was later pointed out (by Paul W. I
believe), that transport mode is (unfortunately?) commonly used with GRE
tunnels in lieu of IPsec tunnel mode so we probably still needed to handle
this case.
That is one use case of an IPsec connection across the internet using
transport mode. There are other uses of transport mode, such as nodes
within a LAN/WAN, but I don't think these really gain much from TFS. You
can't really have all your data center nodes generate fake traffic
between them. If if these cross data centers, there is another gateway
to gateway IPsec connection in place as the outer layer, using tunnel
mode (or transport mode with GRE)
We believe that there's enough complexity in the handling and specification
of TFS for transport mode that we should address this mode in a separate
draft. This will allow us to get the less complex TFS tunnel mode specified
while we continue to work on the various aspects of how best to handle TFS
transport mode.
That's fine with me, provided that we think that we the current TFS
for tunnel mode would not need modification later to support transport
mode, and that we are mostly looking to specify restrictions on specific
packets and options in the transmode mode draft.
We would be happy to work with other interested folks to write this TFS
transport mode draft.
I think that is valid. Also, anyone who would _really_ want TFS can also
turn their transmode mode IPsec into tunnel mode IPsec.
Paul
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
