Re: IPSEC tunnels for LAN-to-LAN interop issue

[Stephen Kent <kent@bbn.com>]

Lars,

>  >> 1) IP tunnel device tunnels packets, IPSEC then applies transport-mode
>  >> protection to the IP-in-IP packets as they leave.
>
>  stephen> Why transport mode here, vs. tunnel mode.  The device looks more
>  stephen> like an SG than an end system, does it not?
>
>He wants to run RIP over the tunnels. IPsec tunnel mode (at least all
>implementations I have seen) is handled by packet filters/firewalls, which
>means the tunnel is not represented in the routing table and RIP won't see
>them. Using an IPIP tunnel device (which will show up in the routing table)
>plus IPsec transport mode is a way to circumvent this.

I see the basis for the concern, but the examples you cite are a result of
some implementation instances, not intrinsic in the IPsec architecture. The
question of how routing is implemented in a IPsec gateway is outside the
scope of 2401, but the question of what mode to use in such a gateway, and
what constitites a gateway vs. an end system, are addressed in 2401.

Steve

---

References:

• Re: IPSEC tunnels for LAN-to-LAN interop issue
• From: Stephen Kent <kent@bbn.com>
• IPSEC tunnels for LAN-to-LAN interop issue
• From: "Waters, Stephen" <Stephen.Waters@cabletron.com>
• Re: IPSEC tunnels for LAN-to-LAN interop issue
• From: Lars Eggert <larse@ISI.EDU>

---

• Prev by Date: RE: IPSEC tunnels for LAN-to-LAN interop issue
• Next by Date: RE: IPSEC tunnels for LAN-to-LAN interop issue
• Prev by thread: Re: IPSEC tunnels for LAN-to-LAN interop issue
• Next by thread: Re: IPSEC tunnels for LAN-to-LAN interop issue
• Index(es):
  • Main
  • Thread