[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re[2]: Path MTU Discovery



Ran,

>Ben,
>
>  It is worth noting that none of the IPsec RFCs cite any of the IP-in-IP
>RFCs.  This is not an accident.  With IPsec, one is not performing IP-in-IP. 
>Rather, one is performing IP-in-AH or IP-in-ESP.  The IP-in-IP RFCs don't 
>include IPsec within their scope.
>
>It was quite intentional that this was done.  It is equally intentional
>that the IPsec RFCs haven't been citing the IP-in-IP RFCs.

Funny, but a couple of months back when I started a mailing list discussion 
due to my confusion about how to implement AH on a secure gateway, someone 
pointed me to IP-in-IP.  Then it all made sense to me.

The model I've been using is to compare the source and destination 
addresses to the tunnel end points.  If they are not equal, use IP-in-IP 
then apply ESP/AH transport mode.

You're right that the IPSec RFCs do not cite RFC 1853 specifically, but the 
text surrounding tunnel mode IPSec (as well as a lot of the mailing list 
discussion) sure looks like IP-in-IP to me!

Bill Whelan