[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: IPSEC tunnels for LAN-to-LAN interop issue

To: Paul Koning <pkoning@xedia.com>
Subject: RE: IPSEC tunnels for LAN-to-LAN interop issue
From: "Waters, Stephen" <Stephen.Waters@cabletron.com>
Date: Thu, 26 Aug 1999 23:45:29 +0100
Cc: richdr@microsoft.com, ipsec@lists.tislabs.com
Sender: owner-ipsec@lists.tislabs.com

Hi Paul, 

I hope I have managed to explained clearly why the model of an IPIP tunnel
device (or any other IP-capable tunnel) that then has transport mode
protection added works for routing interfaces, can you have a crack at
defining how Intranet packets that has IPSEC tunnel encapsulation added can
be modeled as a LAN-LAN routing interface?  I have tried, and it always
seems to come out 'hacky'.

The concern I have is that some folk have done it one way, and some another,
and they will not interwork.  Some will say "I want to send you RIP, but it
must be with transport-mode", and others will say "no, tunnel mode". The mad
thing is, both are identical, but the decapsulation logic is very different.

Cheers, Steve.

-----Original Message-----
From: Paul Koning [mailto:pkoning@xedia.com]
Sent: Thursday, August 26, 1999 11:02 PM
To: Stephen.Waters@cabletron.com
Cc: richdr@microsoft.com; ipsec@lists.tislabs.com
Subject: RE: IPSEC tunnels for LAN-to-LAN interop issue

>>>>> "Waters," == Waters, Stephen <Stephen.Waters@cabletron.com> writes:

 Waters,> 2) is a hack because I no longer have an interface. IPSEC
 Waters,> intercepts packet leaving the system, and, due to the fact
 Waters,> that the contents is completely scrambled has to add a new
 Waters,> header.

 Waters,> -----Original Message----- From: Richard Draves

 >> 1) IP tunnel device tunnels packets, IPSEC then applies
 >> transport-mode protection to the IP-in-IP packets as they leave.
 >> 
 >> 2) IPSEC tunnel is modeled as an interface, and just negotiates
 >> tunnel mode and exposes the resulting tunnel as an interface. This
 >> is akin to marrying an SDP policy with an Interface.
 >> 
 >> 3) IP tunnel device tunnels packets, IPSEC then applies tunnel
 >> mode protection.

I'm not sure why you call (2) a hack.  It is a perfectly reasonable
way of doing things.  Why did you say "I no longer have an interface"?
(2) is, approximately, what we do in our product.  One consequence is
that routing protocols (RIP, OSPF, etc.) work normally across tunnels.

	paul

Prev by Date: Re: IPSEC tunnels for LAN-to-LAN interop issue
Next by Date: RE: IPSEC tunnels for LAN-to-LAN interop issue
Prev by thread: RE: IPSEC tunnels for LAN-to-LAN interop issue
Next by thread: RE: IPSEC tunnels for LAN-to-LAN interop issue
Index(es):
- Main
- Thread