[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Re: Encapsulation vs options



Steve,

Well, I think you are now using the word "features" whereas before the word 
being used was "facilities".  More efficient processing by intermediate
routers is a feature of encapsulation as is a requirement that the end host
be able to speak encapsulation.  The ability to fit in with existing option
oriented host software is a feature of an option.

I don't think I ever claimed that they were identical just that, modulo the
limited size of options in IPv4, you could provide virtually the same 
functional properties with both and there were good reasons to use options in 
some cases.

Donald

PS:  I'd be interested in more details about what your are thinking about when 
you talk about directly datagrams to a particular router with crypto capability 
below.  Seems to me that, in the subnet case, you had better put security in 
all the routers that connect that subnet to the outside world.  I suppose you
could hack all but one of such routers to forward a datagram that uses the
security protocol to one of them that is specially crypto knowledgeable but 
this would not depend on whether the initial datagram was secured by 
encapsulation or an option and this forwarding could be done by IP in IP 
encapsulation and would not necessarily have anything to to with security 
protocol encapsulation.  But maybe I have a complete wrong view of what you 
were thinking about?

--------------
From:	US1RMC::"kent@BBN.COM" "Steve Kent"     7-DEC-1992 14:35
To:	"Donald E. Eastlake, III,\ LJO2/I4 +1 508 486 2358 04-Dec-1992 1251" 
<ranger::dee>
CC:	teb@saturn.sys.acc.com, ipsec@ans.net
Subj:	Re: Encapsulation vs options 

Donald,

	I don't agree that the IP option and encapsulation approaches
are as equivalent as you suggest.  This becomes most noticable when
an encapsulation protocol is offered at a router vs. an end system.
The use of encapsulation makes it easier to direct packets to a
particular router (where the crypto capability is located).  Also,
routers which do not play a role in the crypto processing can avoid
seeing the crypto control information if encapsulation is employed,
whereas an IP option must be examined by all routers along a path.

	I don't mean to suggest that there are not good uses for both
encapsulation and option-based security, but rather that there are
real differences in the features provided by each.

Steve