[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Re: Encapsulation vs options
- To: kent@bbn.com
- Subject: RE: Re: Encapsulation vs options
- From: "Donald E. Eastlake, III, LJO2/I4 +1 508 486 2358 07-Dec-1992 1511" <dee@ranger.enet.dec.com>
- Date: Mon, 7 Dec 92 15:09:14 EST
- Apparently-To: ipsec@ans.net, kent@bbn.com
- Cc: ipsec@ans.net
Steve,
Well, I think you are now using the word "features" whereas before the word
being used was "facilities". More efficient processing by intermediate
routers is a feature of encapsulation as is a requirement that the end host
be able to speak encapsulation. The ability to fit in with existing option
oriented host software is a feature of an option.
I don't think I ever claimed that they were identical just that, modulo the
limited size of options in IPv4, you could provide virtually the same
functional properties with both and there were good reasons to use options in
some cases.
Donald
PS: I'd be interested in more details about what your are thinking about when
you talk about directly datagrams to a particular router with crypto capability
below. Seems to me that, in the subnet case, you had better put security in
all the routers that connect that subnet to the outside world. I suppose you
could hack all but one of such routers to forward a datagram that uses the
security protocol to one of them that is specially crypto knowledgeable but
this would not depend on whether the initial datagram was secured by
encapsulation or an option and this forwarding could be done by IP in IP
encapsulation and would not necessarily have anything to to with security
protocol encapsulation. But maybe I have a complete wrong view of what you
were thinking about?
--------------
From: US1RMC::"kent@BBN.COM" "Steve Kent" 7-DEC-1992 14:35
To: "Donald E. Eastlake, III,\ LJO2/I4 +1 508 486 2358 04-Dec-1992 1251"
<ranger::dee>
CC: teb@saturn.sys.acc.com, ipsec@ans.net
Subj: Re: Encapsulation vs options
Donald,
I don't agree that the IP option and encapsulation approaches
are as equivalent as you suggest. This becomes most noticable when
an encapsulation protocol is offered at a router vs. an end system.
The use of encapsulation makes it easier to direct packets to a
particular router (where the crypto capability is located). Also,
routers which do not play a role in the crypto processing can avoid
seeing the crypto control information if encapsulation is employed,
whereas an IP option must be examined by all routers along a path.
I don't mean to suggest that there are not good uses for both
encapsulation and option-based security, but rather that there are
real differences in the features provided by each.
Steve