[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPSEC tunnels for LAN-to-LAN interop issue

To: "Waters, Stephen" <Stephen.Waters@cabletron.com>
Subject: Re: IPSEC tunnels for LAN-to-LAN interop issue
From: Dan Harkins <dharkins@network-alchemy.com>
Date: Thu, 26 Aug 1999 17:19:41 -0700
cc: ipsec@lists.tislabs.com
In-reply-to: Your message of "Fri, 27 Aug 1999 00:38:02 BST." <29752A74B6C5D211A4920090273CA3DCCDE242@new-exc1.ctron.com>
Sender: owner-ipsec@lists.tislabs.com

  Perhaps RIP is not the right tool for this job. Can't you run BGP between
the SGWs?

  Dan.

On Fri, 27 Aug 1999 00:38:02 BST you wrote
> I can appreciate how 'ACL-routing' can provide traffic selection with IPSEC,
> but I can't model an routing interface (RIP instance) onto IPSEC without
> separating the IPIP tunnel part into a device, and then protecting that with
> transport-mode (or tunnel mode - but that adds too many headers).
> 
> Yes, the traffic protected across this LAN-LAN tunnels covers all traffic
> that the IP tunnel was willing to encapsulate - it make negotiating the
> IPSEC selectors nice and easy :) If you want to exclude traffic inbound or
> outbound, you can use standard packet filtering on the Virtual IP/routing
> interface 'above' the IPIP tunnel - these packet filters are capable of
> expressing far more sophisticated filters than can be expressed by an IPSEC
> tunnel anyway.
> 
> If the alternative is to specify an IPSEC policy/tunnel that uses 'Intranet
> selectors', what will those selectors say?  I am running routing because I
> want to discover what is there, not have to define it up front. To discover
> and use, the IPSEC-tunnel policy would need to be wide-open, and then we are
> back to the same place of having a single 'pipe' to a remote router.
> 
> The [IPIP tunnel+tranposrt-mode IPSEC] model could be used to remove the
> need to negotiate payload description in IKE at all, and could also remove
> the need to define an SPD. If the peer address on the IPIP tunnel is unique
> (for most cases, this is true), you can run with no configured SPD, and, IKE
> permitting, you arrange a transport-mode pipe between a unique src/dest
> defaulting to the addresses specified on the IKE packets.
> 
> For sites that you do not want to exchange routing with (SOHO, extranet) and
> for client access (don't even want an interface for these), then
> 'ACL-routing' is fine. 
> 
> I'm open minded (I hope) on this, I just want LAN-LAN routing to interop. If
> someone can model an IPSEC-tunnel policy approach that works as a routing
> interface, I'm happy to go along.
> 
> Cheers, Steve.

Follow-Ups:

Re: IPSEC tunnels for LAN-to-LAN interop issue

From: John Shriver <jas@shiva.com>

References:

RE: IPSEC tunnels for LAN-to-LAN interop issue

From: "Waters, Stephen" <Stephen.Waters@cabletron.com>

Prev by Date: RE: IPSEC tunnels for LAN-to-LAN interop issue
Next by Date: Re: attack on identity protection in IKE
Prev by thread: RE: IPSEC tunnels for LAN-to-LAN interop issue
Next by thread: Re: IPSEC tunnels for LAN-to-LAN interop issue
Index(es):
- Main
- Thread