[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: IPsec Architecture -- proposed changes
-----BEGIN PGP SIGNED MESSAGE-----
>>>>> "C" == C Harald Koch <chk@utcc.utoronto.ca> writes:
C> This makes traceroute output look really weird when going
C> through a tunnel. The question is, should a tunnel look like a
C> single IP hop or not? I'm of the VPN religion, and so I believe
C> that tunnels should look like a direct (one hop) link between
C> the two hosts/routers.
C> Comments?
Okay, which end decrements then?
The far end is the one "forwarding" so it should do it.
The near end can be thought to be forwarding as well.
For diagnostic purposes, I'd rather have both end points.
It should be noted that the ICMP reply should have a public address,
or router id for it.
We have not yet resolved a question I raised awhile ago: how are
ICMP's from distant routers (beyond the "far" router) allowed to enter
the tunnel?
please see:
http://www.sandelman.ottawa.on.ca/ipsec/1997/07/msg00022.html
and you might recall:
http://www.sandelman.ottawa.on.ca/ipsec/1997/07/msg00023.html
C> documented anywhere. ISAKMP allows you to negotiate the length
C> of variable keys for encryption, but not for simultaneous
C> authentication. This problem needs to be dealt with
C> *somewhere*; I would put it within the ISAKMP series somewhere.
I agree that there is missing text.
:!mcr!: | Network security programming, currently
Michael Richardson | on contract with SSH IPSEC (http://www.ssh.fi/)
WWW: <A HREF="http://www.sandelman.ottawa.on.ca/People/Michael_Richardson/Bio.html">mcr@sandelman.ottawa.on.ca</A>. PGP key available.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: latin1
Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface
iQB1AwUBNDpZhKZpLyXYhL+BAQG0qgMAjinaJj5NHzZ+ObNvuUC7y66XZ1pwzuTW
zDDXh1BEkLzUk1xvNS9im+32GVVlIyvhB3WQPqCTULjqQGefU1EV2inxG+KB/l0r
pl9TnZOUjTxsSgzTErPQJHhiFXqgP6vi
=sX99
-----END PGP SIGNATURE-----
Follow-Ups:
References: