Re: comments on VPN framework document

["Bernard Aboba" <aboba@internaut.com>]

>'IPSEC-tunnel' is that it is not a 
>tunnel at all, really - just a
>security encapsulation scheme. 

By my definition, a tunnel exists whenever you
encapsulate one packet within another packet.
By that scheme an IPSEC/IP tunnel is as much a
tunnel as an IPSEC/L2TP tunnel. 

>If you encrypt the original IP header, 
>what alternative have you got but to 
>add another one.

The same comment could be made about an
L2TP packet, which is encrypted when contained
in IPSEC/L2TP. 

>With IPSEC, there is no mechanism to define 
>an 'Virtual IP interface' that can be managed 
>as any other IP interface - routing/cost/filtering/.... 
>
This is indeed a feature of your implementation.
There is no intrinic reason why an IPSEC/IP
tunnel cannot be treated as a virtual interface.
IP-IP tunnels (for DVMRP, for example) have
commonly been treated as virtual interfaces.


>In the meantime, I'm thinking that 
>L2TP+Transport-mode-IPSEC is as close as
>we can get today.
>

It is true that implementations of 
IPSEC/L2TP are often more 
advanced than IPSEC/IP 
implementations.

However, let's not confuse details
of implementations with discussions
of the protocol differences. 
If we are attempting to discuss 
differences, we should focus
on the ways in which IPSEC/IP and
IPSEC/L2TP are different, namely
the differences between IP and 
L2TP. There are no substantative
security differences between 
IPSEC/IP and IPSEC/L2TP since
both use IPSEC for security.

---

• Prev by Date: I-D ACTION:draft-ietf-ipsec-vpn-policy-schema-00.txt,.ps
• Next by Date: NDSS '99 Registration Now Taking Place!!
• Prev by thread: RE: comments on VPN framework document
• Next by thread: Re: comments on VPN framework document
• Index(es):
  • Main
  • Thread