[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: comments on VPN framework document
>'IPSEC-tunnel' is that it is not a
>tunnel at all, really - just a
>security encapsulation scheme.
By my definition, a tunnel exists whenever you
encapsulate one packet within another packet.
By that scheme an IPSEC/IP tunnel is as much a
tunnel as an IPSEC/L2TP tunnel.
>If you encrypt the original IP header,
>what alternative have you got but to
>add another one.
The same comment could be made about an
L2TP packet, which is encrypted when contained
in IPSEC/L2TP.
>With IPSEC, there is no mechanism to define
>an 'Virtual IP interface' that can be managed
>as any other IP interface - routing/cost/filtering/....
>
This is indeed a feature of your implementation.
There is no intrinic reason why an IPSEC/IP
tunnel cannot be treated as a virtual interface.
IP-IP tunnels (for DVMRP, for example) have
commonly been treated as virtual interfaces.
>In the meantime, I'm thinking that
>L2TP+Transport-mode-IPSEC is as close as
>we can get today.
>
It is true that implementations of
IPSEC/L2TP are often more
advanced than IPSEC/IP
implementations.
However, let's not confuse details
of implementations with discussions
of the protocol differences.
If we are attempting to discuss
differences, we should focus
on the ways in which IPSEC/IP and
IPSEC/L2TP are different, namely
the differences between IP and
L2TP. There are no substantative
security differences between
IPSEC/IP and IPSEC/L2TP since
both use IPSEC for security.