[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: ipsec in tunnel mode and dynamic routing
Giaretta Gerardo <Gerardo.Giaretta@TILAB.COM> writes:
>
> Hi all,
> I have a question about using ipsec in tunnel mode together with dynamic
> routing: I read draft-touch-ipsec-vpn-01.txt but
> I'm not sure that I understood it clearly.
>
> Consider this example: (it's really similar to the example made in the
> draft)
>
>
> B
> / \
> 3 / \ 4
> / \
> X --...--> A D --...--> Y
> \ /
> 1 \ / 1
> \ /
> C
>
You should not use IPsec on a hop-by-hop basis. Assuming A and D are
your Security Gateways, all packets should be encrypted between A and
D, regardless of the path they take.
In other words, a packet arrives at A from X for Y. A knows that
it has to get to D, so it tunnels the packet to D, which can go
via either B or C (which is unimportant). Then D decapsulates
the packet and sends it on the Y.
If C goes down, you re-route via B.
If D goes down, you are out of luck.
-derek
--
Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
Member, MIT Student Information Processing Board (SIPB)
URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH
warlord@MIT.EDU PGP key available
References: