Sandy Harris wrote: > Methinks you can implement either mode in terms of the other, either doing tunnels > over transport connections or treating transport mode as a tunnel with single > machines as endpoints. Assuming you mean IPIP tunnels with IPsec transport SAs, draft-touch-ipsec-vpn-01.txt has details on the former. As for the latter, it'd be interesting to see how much overhead end-to-end tunnel mode really has (smaller MTU + slightly higher per-packet processing overhead). And current implementations (I'm familiar with) don't integrate IPsec tunnels with dynamic routing. Lars -- Lars Eggert <larse@isi.edu> Information Sciences Institute http://www.isi.edu/larse/ University of Southern California
S/MIME Cryptographic Signature