[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: IPSec Complexity
> From owner-ipsec@lists.tislabs.com Fri Feb 18 09:36:47 2000
> Date: Fri, 18 Feb 2000 12:29:16 -0500
> To: Chris Trobridge <CTrobridge@baltimore.com>
> From: Stephen Kent <kent@bbn.com>
> Subject: RE: IPSec Complexity
> Cc: ipsec@lists.tislabs.com
>
> Chris,
>
> If you do IP in IP tunneling, and then apply transport mode, you
> will suffer the access control problems I described earlier, because
> transport mode IPsec looks only at the outer IP header, not the inner
> one.
The only one I noticed your mentioning had to do with
the difficulty, after popping out of the IP in IP tunnel,
of determining which traffic came from where.
This is exactly what enables routing over IPSEC. The assumption
is that the IPSEC is securing the links in this mode, not the entire
system.
Or was there another problem mentioned in another message?
> Also, you will not be complaint with the IPsec Architecture as
> defined in RFC 2401.
Depends on how it's read, perhaps. If you are referring to page 9/10:
b) A security gateway is required to support only tunnel
mode. If it supports transport mode, that should be used
only when the security gateway is acting as a host, e.g.,
for network management.
When it comes to overlays, a gateway acts as both host and cageway.
Host in how it terminates tunnels, and as far as the base network
is concerned. A gateway as far as the overlay is concerned.
Since the IPSEC occurs visible to the base network, it is an IPSEC-style
host. The overlay network does not see the IPSEC at all.
Is this the compliance issue?
Joe
Follow-Ups: