[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: RFC 2401 section 5.2.1
On Tue, 21 Nov 2000, Lars Eggert wrote:
> > Why would you have to use transport mode IPsec heavily? What problem does
> > it solve that tunnel mode doesn't?
>
> Tunnel mode (in current implementations I'm aware of, at least) does not
> support dynamic routing inside a VPN, since IPsec tunnels aren't
> represented in routing tables.
This is a problem in routing implementation, not IPsec tunnel mode. There
is no reason why IPsec tunnels shouldn't be represented in routing tables.
> What does tunnel mode give you that IPIP tunnels + IPsec transport mode
> don't?
Most notably, IPsec SPD checking of the inner headers, which is of some
small importance for network security.
> Inbound processing for both should be identical, since you can't
> tell the difference by looking at the packet.
Life would be simpler if that were so, but it's not. See RFC 2401.
Henry Spencer
henry@spsystems.net
Follow-Ups:
References: