Re: some issues about IPSec

["C. Harald Koch" <chk@utcc.utoronto.ca>]

In message <199801250124.UAA26798@relay.rv.tis.com>, Charles Lynn writes:
> Folks,
> 
> From my perspective, the major benefit of transport mode is that the
> packet is processed with IP-lyer semantics.  I've yet to see a
> specification for tunneling that:
> 	preserves the TTL/hop count semantics,
> 	doesn't mess with the Don't Fragment bit,
> 	accumulates record route data,
> 	sends that packet along the path specified by a source route
> 		contained in the (inner	IP header) or Routing Header,
> 	preserves the IPv6 flow label, etc.

You're talking about different tunnel-mode semantics than most people,
probably because of a Mobile-IP background.

The IP-in-IP tunnels *I* want to see should look like (lossy) layer 1/2
links. The Internet should be invisible, and the tunnel should look like a
single L2 network link to IP.

One of the justifications for IPsec tunnel mode is that it hides all of the
information in the inner packet (particularly IP options like record-route
and source-route) from an outside observer.

Thus:

    tunnel doesn't link inner/outer TTLs
    Path MTU should be supported, but copy DF bit is not required.
    no record route or source route copying from inside to outside.

I understand that Mobile-IP *wants* to see the underlying network; IPsec
does not, and also doesn't want the inner packet visible in any way.

(IMHO, naturally :-)

-- 
Harald Koch <chk@utcc.utoronto.ca>

---

References:

• Re: some issues about IPSec
• From: Charles Lynn <clynn@bbn.com>

---

• Prev by Date: Re: some issues about IPSec
• Next by Date: Re: some issues about IPSec
• Prev by thread: Re: some issues about IPSec
• Next by thread: Re: some issues about IPSec
• Index(es):
  • Main
  • Thread