[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: ipsec in tunnel mode and dynamic routing
The hop-by-hop example only works if you route _before_ you encrypt...
In order words, you route on top of IPsec tunnels. You can do this
if you consider your IPsec tunnels as routable interfaces.
For example, in your picture:
B
/ \
X - A D - Y
\ /
C
.. if A has tunnels to B and C, it can use any routing protocol
to choose which tunnel (B or C) it will use. When a packet comes
in from X, it gets routed out a tunnel, and before it gets sent
out it gets encrypted.
The problem, of course, is detecting when a tunnel endpoint goes
down. This is a problem with any kind of virtual tunnel, not just
IPsec. With link-layer neighbors you can use the lower-layer to
detect a downed link; it's more difficult with a virtual tunnel.
However, assuming you can detect a downed tunnel, the routing protocol
would happily use the other tunnel and encrypt to C instead of B.
Note that encryption has to occur _after_ routing, otherwise you may
encrypt to the wrong destination.
-derek
Giaretta Gerardo <Gerardo.Giaretta@TILAB.COM> writes:
> ok this is right and I understand it, but the hop-by-hop basis example
> is made in the draft.=20
> Only, I want to understand the problems that arise when you use both
> ipsec and dynamic routing.
> In the draft it's explained only if you assume a hop by hop situation.
> Is this the only situation
> in whch problems arise?
>
> Gerardo
--
Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
Member, MIT Student Information Processing Board (SIPB)
URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH
warlord@MIT.EDU PGP key available
References: