[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: IPSec Complexity

To: CTrobridge@baltimore.com, msa@hemuli.tte.vtt.fi
Subject: RE: IPSec Complexity
From: Joe Touch <touch@ISI.EDU>
Date: Fri, 18 Feb 2000 16:25:29 -0800 (PST)
Cc: ipsec@lists.tislabs.com
Sender: owner-ipsec@lists.tislabs.com

> From owner-ipsec@lists.tislabs.com  Fri Feb 18 10:37:16 2000
> Date: Fri, 18 Feb 2000 20:30:30 +0200 (EET)
> From: Markku Savela <msa@anise.tte.vtt.fi>
> To: CTrobridge@baltimore.com
> CC: ipsec@lists.tislabs.com
> Subject: RE: IPSec Complexity
> 
> > From: Chris Trobridge <CTrobridge@baltimore.com> The only way around
> > this would be, as I think someone's already said, is to perform IP
> > in IP tunneling first and then use Transport mode.
> 
> On the wire the tunnel mode is *exactly* same as transport mode applied to
> IPIP tunnel. Bitstreams are identical.

They weren't when we did it. Maybe something has/is changed/ing,
or this was purely an implementation issue. The difference was on keying - 

	in tunnel-mode IPSEC, the inner header indexes the key

	in IPIP then transport IPSEC, the outer (IPIP) header indexes the key

> One end could be applying IPSEC transport mode to IPIP tunnel, and
> other end could be doing IPSEC in tunnel mode, and they can
> communicate quite okay.

The issue has to do with key lookup on _send_. It may be difficult to get
an IPSEC/tunnel to generate the appropriate packets. 

Joe

Prev by Date: RE: IPSec Complexity
Next by Date: Re: IPSec Complexity
Prev by thread: Re: IPSec Complexity
Next by thread: Re: IPSec Complexity
Index(es):
- Main
- Thread