[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

ipsec in tunnel mode and dynamic routing



	
Hi all,
I have a question about using ipsec in tunnel mode together with dynamic
routing: I read draft-touch-ipsec-vpn-01.txt but
I'm not sure that I understood it clearly.

Consider this example: (it's really similar to the example made in the
draft)


                             B    
                           /    \    
                    3   /        \  4  
                       /            \
        X --...--> A              D  --...--> Y
                       \        	/       
                   1    \         /   1  
                          \      /       
                             C 


(the numbers near the link represent the weights of the links, regaring
dinamic routing).
(links A-B and A-C are untrusted)

I think this is what happens:

- a packet arrives in A with SA=X and DA=Y (SA= source address;
DA=destination address)
- A has to apply ipsec in tunnel mode for this packet because links A-B
and A-C are untrusted
- IPSec can't know if the optimal route to go to D is through A or B 
- Suppose that  SPD and SAD are configured so that the packet is
encapsulated with SA=A and  DA=B (i.e. it's used the tunnel A-B and not
the tunnel A-C) 
- The packet arrives to Y through A-B-D: this is clearly not the optimal
route because it has weight 7 against weight 2 of A-C-D route. 

Obviously if link B-D goes down, there is no way to send the packet to D
applying IPSec unless changing the ipsec configuration file.
That is with ipsec we looose some of the dynamic routing advantages.
Is this right?
Is there any other problem using dynamic routing and ipsec together or
this is the only one?
Thank you in advance

		Gerardo



Follow-Ups: