[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: comments on VPN framework document
> >'IPSEC-tunnel' is that it is not a
> >tunnel at all, really - just a
> >security encapsulation scheme.
>
> By my definition, a tunnel exists whenever you
> encapsulate one packet within another packet.
> By that scheme an IPSEC/IP tunnel is as much a
> tunnel as an IPSEC/L2TP tunnel.
>
I was comparing the IPSEC-tunnel (as defined in the IPSEC architecture) with
other IP tunneling recommendations - all of which have much more too them
than
just encapsulating the original packet with an IP header.
> >If you encrypt the original IP header,
> >what alternative have you got but to
> >add another one.
>
> The same comment could be made about an
> L2TP packet, which is encrypted when contained
> in IPSEC/L2TP.
Again - I was making the point the adding an IP header is ALL the
IPSEC tunnel is, nothing more.
>
> >With IPSEC, there is no mechanism to define
> >an 'Virtual IP interface' that can be managed
> >as any other IP interface - routing/cost/filtering/....
> >
> This is indeed a feature of your implementation.
> There is no intrinic reason why an IPSEC/IP
> tunnel cannot be treated as a virtual interface.
> IP-IP tunnels (for DVMRP, for example) have
> commonly been treated as virtual interfaces.
>
There may be no reason why IPSEC/IP can't be treated as a virtual interface,
but that is not the model defined in the IPSEC architecture where everything
is
driven from a security policy databases that are applied to data ON an
interface,
and a policy within a given SPD calling for tunnel-mode protection does not
constitute an interface or anything that is managable as such.
>
> >In the meantime, I'm thinking that
> >L2TP+Transport-mode-IPSEC is as close as
> >we can get today.
> >
>
> It is true that implementations of
> IPSEC/L2TP are often more
> advanced than IPSEC/IP
> implementations.
>
> However, let's not confuse details
> of implementations with discussions
> of the protocol differences.
> If we are attempting to discuss
> differences, we should focus
> on the ways in which IPSEC/IP and
> IPSEC/L2TP are different, namely
> the differences between IP and
> L2TP. There are no substantative
> security differences between
> IPSEC/IP and IPSEC/L2TP since
> both use IPSEC for security.
>
Let's hope so.
Steve.
>
>
>
Follow-Ups: