Thank, Paul
Given how you are focussing on this aspect,
can i assume that you are happy with the everything
else in the suggested text ?
Wrt to tunnel vs. transport mode:
If you can, please propose specific text that would improve
the quality of the doc wrt. to your point.
I can only observe:
a) I have not found the word "profile" in neither rfc4301
nor rfc5996, so i have no basis from which to argue what could
or could not be called permissible for a "profile"
b) I have not seen MUST support transport and MUST support
tunnel mode, so being "incapable" of either option will
lead to closing the connection, and those implementatoins
are i think compliant with the IPsec/IKEv2 RFCs.
b) All router implementations i know that can do tunnel
and transport mode allow you to configure which option
specifically to use and they too will close a connection
is there is a mismatch. One could call that configuration
"unwilling".
ACP draft does not even have a notion of "unwilling",
just "incapable".
Cheers
Toerless
Every router allows you to configure whether an
On Wed, Jun 17, 2020 at 04:01:25PM -0400, Paul Wouters wrote:
> On Wed, 17 Jun 2020, Toerless Eckert wrote:
>
> > > Note that you cannot _require_ transport mode, as the IKEv2
> > > protocol only allows you to _suggest_ transport mode. The peer
> > > can reject that suggestion and insist the connection uses
> > > tunnel mode.
> >
> > But we do define a profile of use of IPsec that both sides need to support
> > to ineroperate. So what specifically does prohibit a specificartion of such
> > a profile to require to support and prefer one mode over the other ?
> >
> > This is a peer-to-peer communication solution, so no interop
> > with devices not confirming to this spec.
>
> The profile is about protocol choices you agree to set in the
> profile. These choices are expected to be negotiated, eg encryption via
> AES_GCM, or encryption via CHACHA20_POLY1305. Your profile can say to
> pick one of these or both, because the protocol allows that.
>
> But the protocol does not provide the profiles a way to say "MUST
> do transport mode". The protocol only provides a way to say "Prefers
> transport mode".
>
> Technically, your profile could say to "request transport mode, and
> refuse the connection if the other end is unwilling to use transport
> mode", but that I would argue that would constitute a protocol
> modification which is not what a profile should do.
>
> Paul
--
---
t...@cs.fau.de
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
