[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPSec Complexity



> From owner-ipsec@lists.tislabs.com  Tue Feb 15 17:44:09 2000
> Date: Tue, 15 Feb 2000 17:21:28 -0800
> From: Skye Poier <skye@ffwd.com>
> To: ipsec@lists.tislabs.com
> Subject: IPSec Complexity
> 
> Hello,
> 
> I just finished reading Niels Ferguson and Bruce Schneier's paper
> "A Cryptographic Evaluation of IPSec".  They raise some interesting 
> points, especially with regards to the complexity of the IPSec
> specification.  I am working on a plan to integrate IPSec with our
> product line and the major hurdle seems to be supporting the
> different modes (tunnel vs transport) and protocols (AH vs ESP).
> 
> In conclusion the paper recommends adopting ESP/tunnel mode with
> mandatory authentication and dropping the rest.  This certainly
> appeals to me as we were already pondering the idea of using tunnel
> mode everywhere (host-host, host-sg, sg-sg) for simplicity.

...

> I can't find any disadvantages to using tunnels mode everywhere, except
> for a slight increase in bandwidth usage.  Comments?

Yipe. I've already found that I need to use transport mode subsequent
to vanilla tunneling (IP in IP) to allow dynamic routing to run
inside an IPSEC'd overlay (VPN, if you prefer).

The packets end up looking similar - just that 
vanilla_tunnel+transport IPSEC
keys on the tunnel header, where transport keys on the inner header.

This is how we got around the problem of integrating tunneling with
routing. We let regular routing determine which vanilla tunnel 
to use, and the key rules remain static. Otherwise, we'd have
to tie the key rules to the dynamic routing daemon, which is a pain.

Has anyone else stumbled on this, and/or found this solution?

(I can provide more detail if useful)

Joe


Follow-Ups: