[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: RFC 2401 section 5.2.1

To: "Joseph D. Harwood" <jharwood@vesta-corp.com>
Subject: Re: RFC 2401 section 5.2.1
From: Joe Touch <touch@ISI.EDU>
Date: Wed, 22 Nov 2000 14:24:08 -0800
CC: Lars Eggert <larse@ISI.EDU>, ipsec@lists.tislabs.com
References: <NDBBIBHFGLMFGJLIBOBMAEEICBAA.jharwood@vesta-corp.com>
Sender: owner-ipsec@lists.tislabs.com



"Joseph D. Harwood" wrote:
> 
> >
> > What does tunnel mode give you that IPIP tunnels + IPsec transport mode
> > don't? Inbound processing for both should be identical, since you can't
> > tell the difference by looking at the packet.
> 
> Not quite identical.  After IPsec processing, the received packet's
> selectors are checked against the SPD to make sure all of the appropriate
> processing has been performed.  In Tunnel mode, these selectors are from the
> inner (encapsulated) header, in IPIP + IPsec transport these selectors are
> from the outer header.

Agreed. It's exactly that difference that allows IPIP+transport
to support dynamic routing over per-hop IPSEC'd tunnels.

Joe

References:

RE: RFC 2401 section 5.2.1

From: "Joseph D. Harwood" <jharwood@vesta-corp.com>

Prev by Date: RE: RFC 2401 section 5.2.1
Next by Date: Re: RFC 2401 section 5.2.1
Prev by thread: Re: RFC 2401 section 5.2.1
Next by thread: Re: RFC 2401 section 5.2.1
Index(es):
- Main
- Thread