RE: comments on VPN framework document

[Richard Draves <richdr@microsoft.com>]

> > With IPSEC, there is no mechanism to define an 'Virtual IP 
> interface' that
> > can be managed as any other IP interface - 
> routing/cost/filtering/....
> > 
> > Perhaps this is just the way that I (and others) have 
> implemented it -
> > following the basic model in the IPSEC architecture, i.e. 
> the SPD model.
> 
> Stephen, thanks for clarifying this - use of a virtual interface does
> sound more like a stack implementation issue than a protocol issue
> though (i.e. not a limitation of IPSEC-tunnel mode itself?). Or would
> something have to change on the wire protocol before you 
> could implement
> that?

I agree with Stephen on this - I think the security architecture document
discourages the implementation of tunnel-mode SAs as virtual interfaces.

At least for IPv6, there are real wire protocol implications to making
something a virtual interface. IPv6 defines Neighbor Discovery, and if the
tunnel is a virtual interface then I would expect ND to run over the tunnel.
I would expect the virtual interface to have address(es) assigned to it
(different from the IPv6 addresses assigned to the real interfaces). So at
least with IPv6, there are real interoperability issues wrt implementing a
tunnel-mode SA as a virtual interface. I believe that in practice, it is not
possible to implement tunnel-mode SAs as virtual interfaces.

Rich

---

• Prev by Date: RE: comments on VPN framework document
• Next by Date: RE: comments on VPN framework document
• Prev by thread: Re: comments on VPN framework document
• Next by thread: RE: comments on VPN framework document
• Index(es):
  • Main
  • Thread