[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: RFC 2401 section 5.2.1





Henry Spencer wrote:
> 
> On Tue, 21 Nov 2000, Lars Eggert wrote:
> > > Why would you have to use transport mode IPsec heavily?  What problem does
> > > it solve that tunnel mode doesn't?
> >
> > Tunnel mode (in current implementations I'm aware of, at least) does not
> > support dynamic routing inside a VPN, since IPsec tunnels aren't
> > represented in routing tables.
> 
> This is a problem in routing implementation, not IPsec tunnel mode.  There
> is no reason why IPsec tunnels shouldn't be represented in routing tables.

This would require synchronizing updates to the key databases with
updates to the routing tables.

That would certainly make things more complex, not less.

> > What does tunnel mode give you that IPIP tunnels + IPsec transport mode
> > don't?
> 
> Most notably, IPsec SPD checking of the inner headers, which is of some
> small importance for network security.

You can set that rule when you setup the tunnel. It need not
be an integrated function of setting the transport IPSEC.

Joe


Follow-Ups: References: