[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Replacing private lines with tunnels

To: ipsec@lists.tislabs.com
Subject: Re: Replacing private lines with tunnels
From: Michael Richardson <mcr@sandelman.ottawa.on.ca>
Date: Fri, 29 Sep 2000 10:09:14 -0400
In-reply-to: Your message of "Thu, 28 Sep 2000 11:06:38 EDT." <39D35E7E.DFCE73EB@research.telcordia.com>
Sender: owner-ipsec@lists.tislabs.com


>>>>> "Sanjai" == Sanjai Narain <narain@research.telcordia.com> writes:
    Sanjai> connectivity between the gateway routers. Now suppose the private
    Sanjai> lines are replaced by IPSec tunnels. Then any-to-any connectivity
    Sanjai> will be lost.  This is because router interfaces at tunnel
    Sanjai> endpoints will, in general, not belong to the same subnet, so
    Sanjai> OSPF won't work.

  If you are saying that OSPF does not work when one uses unnumebered PPP
links, then I guess you are right. I don't see why that should be the case.
  There are IPsec implementations that actually have interfaces for the
tunnels. NRL's was one. Recent implementations have abandoned this, claiming
scalability reasons.

    Sanjai> So, what can be done to restore any-to-any connectivity between
    Sanjai> the gateway routers? In particular, do people implement a form of
    Sanjai> static routing over tunnels, i.e., direct the traffic coming out
    Sanjai> of one tunnel into another?

  Some do.

]      Out and about in Ottawa.    hmmm... beer.                |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another NetBSD/notebook using, kernel hacking, security guy");  [

Next by Date: Re: ICMP "Destination unreachable" - should it be sent?
Next by thread: Re: ICMP "Destination unreachable" - should it be sent?
Index(es):
- Main
- Thread