[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Encapsulation of IPsec Datagrams - Performance Question

To: Joel Odom <odom@juggernautics.com>
Subject: Re: Encapsulation of IPsec Datagrams - Performance Question
From: Bill Sommerfeld <wes@thunk.epilogue.com>
Date: Thu, 01 Jul 1999 11:00:36 -0700
cc: ipsec@lists.tislabs.com
In-Reply-To: Message from Joel Odom <odom@juggernautics.com> of "Thu, 01 Jul 1999 11:44:53 EDT." <377B8CF5.97443260@juggernautics.com>
Sender: owner-ipsec@lists.tislabs.com

> 	Although I am still in the processes of studying IPsec, I have
> yet to find an answer to this question, although I know that it must
> be in the RFC's.  Suppose that I want to encapsulate an IPsec
> datagram into another IPsec datagram.  For example, if I ha ve a
> transport mode datagram inside of a tunnel mode datagram.  Does the
> payload data get encrypted twice or only once?  In other words, is
> ESP intelligent enough to determine that it doesn't need to spend
> CPU cycles encrypting the payload of tunnel mode if it is already
> encrypted?

No, it gets encrypted twice.  This is a feature, not a bug.

For one, the transport-mode ipsec packet going into the tunnel may be
headed for a different destination than the tunnel endpoint.

						- Bill

Prev by Date: Re: Encapsulation of IPsec Datagrams - Performance Question
Next by Date: Re: question on Inbound / Outbound SAD/SPD RFC2401
Prev by thread: Re: Encapsulation of IPsec Datagrams - Performance Question
Next by thread: Re: question on Matching SAD and Selectors
Index(es):
- Main
- Thread