[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: comments on VPN framework document

To: Stephen Waters <Stephen.Waters@digital.com>
Subject: RE: comments on VPN framework document
From: Stephen Kent <kent@bbn.com>
Date: Mon, 12 Oct 1998 14:38:35 -0400
Cc: "Frank O'Dwyer" <fod@brd.ie>, ipsec@tis.com, l2tp@zendo.com
In-Reply-To: <250F9C8DEB9ED011A14D08002BE4F64C01EB598A@wade.reo.dec.com>
Sender: owner-ipsec@ex.tis.com

Stephen,

>The VPN framework lists some of the problems, but my main problem with a
>plain 'IPSEC-tunnel' is that it is not a tunnel at all, really - just a
>security encapsulation scheme.  If you encrypt the original IP header, what
>alternative have you got but to add another one.

A tunnel, in th IP context, entails point-to-point encapsulation of traffic
with an external IP header, designed to carry the traffic to a
decapsulation point to which the traffic would not otherwise be routed.
IPsec tunneling fits this definition, as does IP-in-IP and IPX-over-IP,
etc.

IPsec, because it has been designed for use with IP imposes certain
processing on the content of tunnel mode traffic, specifically because
IPsec is not just an encryption facility.  It (usually) provides
authentication and optional anti-replay, and embodies a simple form of
access control.  In tunnel mode, the headers use for access control are
those encapsulated by IPsec, vs. use of the outer headers in transport mode.

Steve

References:

RE: comments on VPN framework document

From: Stephen Waters <Stephen.Waters@digital.com>

Prev by Date: Re: comments on VPN framework document
Next by Date: RE: comments on VPN framework document
Prev by thread: Re: comments on VPN framework document
Next by thread: RE: comments on VPN framework document
Index(es):
- Main
- Thread