[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: RFC 2401 section 5.2.1

To: Lars Eggert <larse@ISI.EDU>
Subject: Re: RFC 2401 section 5.2.1
From: Henry Spencer <henry@spsystems.net>
Date: Tue, 21 Nov 2000 17:17:50 -0500 (EST)
cc: ipsec@lists.tislabs.com
In-Reply-To: <3A1ABF07.EFE29FE9@isi.edu>
Sender: owner-ipsec@lists.tislabs.com

On Tue, 21 Nov 2000, Lars Eggert wrote:
> > Why would you have to use transport mode IPsec heavily?  What problem does
> > it solve that tunnel mode doesn't?
> 
> Tunnel mode (in current implementations I'm aware of, at least) does not
> support dynamic routing inside a VPN, since IPsec tunnels aren't
> represented in routing tables.

This is a problem in routing implementation, not IPsec tunnel mode.  There
is no reason why IPsec tunnels shouldn't be represented in routing tables.

> What does tunnel mode give you that IPIP tunnels + IPsec transport mode
> don't?

Most notably, IPsec SPD checking of the inner headers, which is of some
small importance for network security. 

> Inbound processing for both should be identical, since you can't
> tell the difference by looking at the packet.

Life would be simpler if that were so, but it's not.  See RFC 2401.

                                                          Henry Spencer
                                                       henry@spsystems.net

Follow-Ups:

Re: RFC 2401 section 5.2.1

From: Joe Touch <touch@ISI.EDU>

References:

Re: RFC 2401 section 5.2.1

From: Lars Eggert <larse@ISI.EDU>

Prev by Date: RE: RFC 2401 section 5.2.1
Next by Date: Re: RFC 2401 section 5.2.1
Prev by thread: Re: RFC 2401 section 5.2.1
Next by thread: Re: RFC 2401 section 5.2.1
Index(es):
- Main
- Thread