Henry Spencer wrote: > > On Tue, 21 Nov 2000 itojun@iijlab.net wrote: > > >Strongly agree. We'd like to see AH die entirely... > > > > (again this holy war on AH) > > I don't. if you use transport mode IPsec heavily (unlike today's > > VPN-only situation) how can you protect your header portion? > > Why would you have to use transport mode IPsec heavily? What problem does > it solve that tunnel mode doesn't? Tunnel mode (in current implementations I'm aware of, at least) does not support dynamic routing inside a VPN, since IPsec tunnels aren't represented in routing tables. What does tunnel mode give you that IPIP tunnels + IPsec transport mode don't? Inbound processing for both should be identical, since you can't tell the difference by looking at the packet. Lars -- Lars Eggert <larse@isi.edu> Information Sciences Institute http://www.isi.edu/larse/ University of Southern California
S/MIME Cryptographic Signature