[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: IPSEC tunnels for LAN-to-LAN interop issue



Stephen,

>I think I disagree with the statement that "Anything else will violate RFC
>2401". A security gateway is perfectly entitled to protected 'originating
>traffic' with transport-mode, and if the traffic source is a tunnel device
>(IPIP, L2TP, GRE...), then IPSEC can quite fairly protect this with
>transport mode to a remote peer/security gateway:
>
>" Note that for the case where traffic is destined for a
>   security gateway, e.g., SNMP commands, the security gateway is acting
>   as a host and transport mode is allowed."
>
>It is convenient, I think, to model generic traffic between two security
>gateways as transport-mode, regardless of the protocol.

One can do this if the goal is to eviscerate the access controls provided
by IPsec, and there is a desire to add unnecessary protocol layers (e.g.,
L2TP and GRE) when carrying IP traffic :-).

Steve


Follow-Ups: References: