[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Death to AH (was Re: SA identification)



Sandy Harris wrote:
> Methinks you can implement either mode in terms of the other, either doing tunnels
> over transport connections or treating transport mode as a tunnel with single
> machines as endpoints.

Assuming you mean IPIP tunnels with IPsec transport SAs,
draft-touch-ipsec-vpn-01.txt has details on the former.

As for the latter, it'd be interesting to see how much overhead end-to-end
tunnel mode really has (smaller MTU + slightly higher per-packet processing
overhead). And current implementations (I'm familiar with) don't integrate
IPsec tunnels with dynamic routing.

Lars
-- 
Lars Eggert <larse@isi.edu>                 Information Sciences Institute
http://www.isi.edu/larse/                University of Southern California

S/MIME Cryptographic Signature


References: