Re: RFC 2401 section 5.2.1

[Joe Touch <touch@ISI.EDU>]

Henry Spencer wrote:
> 
> On Wed, 22 Nov 2000, Joe Touch wrote:
> > > > Tunnel mode (in current implementations I'm aware of, at least) does not
> > > > support dynamic routing inside a VPN, since IPsec tunnels aren't
> > > > represented in routing tables.
> > > This is a problem in routing implementation, not IPsec tunnel mode...
> >
> > This would require synchronizing updates to the key databases with
> > updates to the routing tables.
> 
> Quite so, in the same way that it requires synchronizing updates to
> hardware status with updates to the routing tables.  This does not seem
> conceptually difficult; the IPsec SAs are just virtual wires, so when
> their status changes, routing has to know about it.

It's actually the other way around that's harder - the key database
has to be changed when the link goes down. This means gated/mrtd
needs to communicate with the key database.

Links going down aren't necessarily local - this happens any time
a route (in the routing table) changes. 

> > > > What does tunnel mode give you that IPIP tunnels + IPsec transport mode
> > > > don't?
> > > Most notably, IPsec SPD checking of the inner headers...
> >
> > You can set that rule when you setup the tunnel. It need not
> > be an integrated function of setting the transport IPSEC.
> 
> But which IPsec SA the packet emerged from is significant information for
> the checking. 

Yes - that's why you're supposed to retain it with the decrypted packet anyway.

Joe

---

References:

• Re: RFC 2401 section 5.2.1
• From: Henry Spencer <henry@spsystems.net>

---

• Prev by Date: Re: RFC 2401 section 5.2.1
• Next by Date: Re: RFC 2401 section 5.2.1
• Prev by thread: Re: RFC 2401 section 5.2.1
• Next by thread: Re: RFC 2401 section 5.2.1
• Index(es):
  • Main
  • Thread