[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Two issues: AH death, and SA identification
At 10:29 AM +0200 3/24/01, Markku Savela wrote:
>The tunnel vs. transport mode is related issue. As coded, a "tunnel
>mode" is just "transport mode applied to IP tunnel" (even though, the
>tunnel wrap/unwrap is also done within IPSEC) . Again, using my above
>definition, this is "internal implementation issue".
Yes and no. Implementation choices affect upper layers, the IPsec
tunnel mode is a good example. Consider a virtual network of tunnels:
C
/ \
A--B E--F
\ /
D
Each link in the topology is a tunnel. For a packet from A->F, B has
two path choices. Using a tunneling mechanisms whose implementation
is based on tunnel devices (which are represented in the routing
table), you can run your dynamic favorite routing protocol on the
virtual network, and things work.
Using (some) IPsec tunnel implementations, where IPsec does
(un)wrapping, tunnels are not represented in the routing table; the
overlay is invisible to dynamic routing.
For a simple topology (one tunnel between two security gateways),
both implementations work; in the former case, packets are tunneled
because they match a route, in the second case, because they match an
IPsec SA.
So my point is, internal implementation issues have visible consequences.
Lars
--
Lars Eggert <larse@isi.edu> Information Sciences Institute
http://www.isi.edu/larse/ University of Southern California
References: