Re: ipsec in tunnel mode and dynamic routing

[Derek Atkins <warlord@mit.edu>]

Giaretta Gerardo <Gerardo.Giaretta@TILAB.COM> writes:

> 	
> Hi all,
> I have a question about using ipsec in tunnel mode together with dynamic
> routing: I read draft-touch-ipsec-vpn-01.txt but
> I'm not sure that I understood it clearly.
> 
> Consider this example: (it's really similar to the example made in the
> draft)
> 
> 
>                              B    
>                            /    \    
>                     3   /        \  4  
>                        /            \
>         X --...--> A              D  --...--> Y
>                        \        	/       
>                    1    \         /   1  
>                           \      /       
>                              C 
> 

You should not use IPsec on a hop-by-hop basis.  Assuming A and D are
your Security Gateways, all packets should be encrypted between A and
D, regardless of the path they take.

In other words, a packet arrives at A from X for Y.  A knows that
it has to get to D, so it tunnels the packet to D, which can go
via either B or C (which is unimportant).  Then D decapsulates
the packet and sends it on the Y.

If C goes down, you re-route via B.

If D goes down, you are out of luck.

-derek

-- 
       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
       Member, MIT Student Information Processing Board  (SIPB)
       URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
       warlord@MIT.EDU                        PGP key available

---

References:

• ipsec in tunnel mode and dynamic routing
• From: Giaretta Gerardo <Gerardo.Giaretta@TILAB.COM>

---

• Prev by Date: Re: OSPF (IPv6) and IPsec
• Next by Date: draft-ietf-ipsec-ike-modp-groups-03.txt
• Prev by thread: ipsec in tunnel mode and dynamic routing
• Next by thread: Re: ipsec in tunnel mode and dynamic routing
• Index(es):
  • Main
  • Thread