On Wed, 17 Jun 2020, Toerless Eckert wrote:
Note that you cannot _require_ transport mode, as the IKEv2
protocol only allows you to _suggest_ transport mode. The peer
can reject that suggestion and insist the connection uses
tunnel mode.
But we do define a profile of use of IPsec that both sides need to support
to ineroperate. So what specifically does prohibit a specificartion of such
a profile to require to support and prefer one mode over the other ?
This is a peer-to-peer communication solution, so no interop
with devices not confirming to this spec.
The profile is about protocol choices you agree to set in the
profile. These choices are expected to be negotiated, eg encryption via
AES_GCM, or encryption via CHACHA20_POLY1305. Your profile can say to
pick one of these or both, because the protocol allows that.
But the protocol does not provide the profiles a way to say "MUST
do transport mode". The protocol only provides a way to say "Prefers
transport mode".
Technically, your profile could say to "request transport mode, and
refuse the connection if the other end is unwilling to use transport
mode", but that I would argue that would constitute a protocol
modification which is not what a profile should do.
Paul
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec
