Transport Mode vs. Tunnel Mode
What is specified
- iFCP, FCIP: ESP Tunnel mode a MUST, ESP transport mode a MAY
- iSCSI: nothing yet
Transport mode
- Pros
- Provides End to End security
- Lower overhead than tunnel mode
- Larger MTU
- Negotiation of connection-specific selectors is common practice
- Cons
- Requires IPsec to be implemented on the IPS entities
- Greater difficulties with NAT traversal (TCP checksum invalidation)
Tunnel mode
- Pros
- More compatible with existing VPN gateways
- Don’t have to implement IPsec on the IPS entity
- Easier to traverse NATs
- Cons
- More overhead
- Smaller MTU
- Secure operation within IPS scenarios would require negotiation of connection-specific selectors – not current practice
- For hosts with dynamically assigned addresses (iSCSI), interoperability is poor
- Existing implementations typically utilize proprietary extensions for configuration (mode config) or authentication (XAUTH)
- To avoid normative references to proprietary protocols, iSCSI and IPS security drafts would need to cite draft-ietf-ipsec-dhcp-13.txt for config and possibly draft-ietf-ipsra-pic-04.txt – which adds significantly complexity