[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: IPSEC tunnels for LAN-to-LAN interop issue
-----BEGIN PGP SIGNED MESSAGE-----
>> Can the remote end distinguish if a tunneled IPsec packet was created by
>> IPIP encapsulation + IPsec transport mode or IPsec tunnel mode? In either
>> case, the incoming SA will have to match on the outer header.
stephen> Yes, the outer header will be the same in either case, but
stephen> transport mode calls for matching SA selectors aginst the outer IP
stephen> header and the immdeiately following transport header (if port
stephen> selectors are employed), whereas tunnel mode calls for matching the
stephen> selectors against the inner IP and transport headers. Thus the
stephen> processing si different for each case.
That was my understanding for the sending side when an outgoing packet is
tunneled. However, on the incoming side, the SA selectors must match against
the outer header, because inner header and transport layer may be
encrypted. Or am I missing something? If this is correct, I still think there
is an ambiguity as to who is responsible for decapsulation.
Lars
______________________________________________________________________________
Lars Eggert <larse@isi.edu> Information Sciences Institute
http://www.isi.edu/~larse/ University of Southern California
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQCVAwUBN8WfbNZcnpRveo1xAQEJRgP/Rwyc3PoSpTtZ12UyGi6oSDFzsy/7BUm2
nvXgiFDs+mjQ+7DnCvV0UPWXSEYyURPjtfVV5VfmJNl2OGUR+ktxCoOQmPA2qU/L
HaHmItcyqTKpNC5e/yCSgwskfD55sBYmjCIAIBeWR7wFMNtr5kE6XtkzYwIYBvOu
grZF9IY490M=
=ty6q
-----END PGP SIGNATURE-----
Follow-Ups:
References: