RE: comments on VPN framework document

[Bryan Gleeson <BGleeson@shastanets.com>]

Dan,
 
>   Attempting to use a layer 3 security protocol to provide what is,
> in effect, layer 2 security is going to be problematic. No 
> doubt about it.
> If you're deadset on doing this why not use a proxy identity 
> type of subnet
> whose value is 0.0.0.0/0.0.0.0?

If there was universal agreement on what this meant when you 
received it, there would not be a problem. However in previous
email on this topic it was asserted that this would imply that 
I had a default route pointing out the SA. This is not true
if there are separate inbound and outbound policies, i.e.
just because I can receive from 'any' then it does not mean 
that I have to use that SA to send everything. Allowing 
the proxy ids to be omitted (or at a pinch included with
the value 0.0.0.0) would certainly solve the problem, along
with some explanatory text which indicated how this was to
be interpreted.     

>   Or why not just use the right tool for the right job: a 
> link encryptor.

Not sure what you mean by 'link encryptor'. The endpoints of 
the IP tunnel could be separated by many intermediate routers. 
If IP is being used as a link layer (as it is when IP tunneling 
is being used, as seen, for example, by any routing instance that
may be running over it) then using IPSEC just means you've got 
a secure link layer.

Bryan

---

Follow-Ups:

• Re: comments on VPN framework document
• From: Daniel Harkins <dharkins@cisco.com>

---

• Prev by Date: RE: comments on VPN framework document
• Next by Date: Re: comments on VPN framework document
• Prev by thread: RE: comments on VPN framework document
• Next by thread: Re: comments on VPN framework document
• Index(es):
  • Main
  • Thread