[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: comments on VPN framework document
Richard,
> > Stephen, thanks for clarifying this - use of a virtual
> interface does
> > sound more like a stack implementation issue than a protocol issue
> > though (i.e. not a limitation of IPSEC-tunnel mode
> itself?). Or would
> > something have to change on the wire protocol before you
> > could implement
> > that?
>
> I agree with Stephen on this - I think the security
> architecture document
> discourages the implementation of tunnel-mode SAs as virtual
> interfaces.
The architecture document should neither encourage or
discourage local implementation choices.
> At least for IPv6, there are real wire protocol implications to making
> something a virtual interface. IPv6 defines Neighbor
> Discovery, and if the
> tunnel is a virtual interface then I would expect ND to run
> over the tunnel.
> I would expect the virtual interface to have address(es)
> assigned to it
> (different from the IPv6 addresses assigned to the real
> interfaces). So at
> least with IPv6, there are real interoperability issues wrt
> implementing a
> tunnel-mode SA as a virtual interface.
I don't see the problem. In fact IPV6 explicitly addresses
the use of IP as a link layer, and has developed a wider
vocabulary to deal with tunneling issues than existed
previously ...
link - a communication facility or medium over which nodes
can communicate at the link layer, i.e., the layer
immediately below IP. Examples are Ethernets
(simple or bridged), PPP links, X.25, Frame Relay,
or ATM networks as well as internet (or higher)
layer "tunnels", such as tunnels over IPv4 or IPv6
itself.
interface - a node's attachment to a link.
> I believe that in
> practice, it is not
> possible to implement tunnel-mode SAs as virtual interfaces.
I know of implementations that do use tunnel mode SAs as
virtual interfaces. Whether this is easy or hard depends
primarily on where you are starting from.
Bryan