[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: ipsec in tunnel mode and dynamic routing
In message <3BF9599C.1060300@isi.edu>, Lars Eggert writes:
>Hi,
>
>replying to a number of issues brought up in this thread:
>
>Giaretta Gerardo wrote:
> > I have a question about using ipsec in tunnel mode together with
> > dynamic routing: I read draft-touch-ipsec-vpn-01.txt but I'm not
> > sure that I understood it clearly.
>
>We are currently preparing an update to this expired draft for the
>next IETF; it should be ready sometime this week.
>
>The basic idea of our draft is to allow IPsec transport mode together
>with IPIP tunnels as an alternative to IPsec tunnel mode. In that case,
>routing is based on virtual (tunnel) interfaces, and IPsec is applied
>after routing (unlike IPsec tunnel mode, which encrypts and then routes
>in one step).
>
While I'm not certain I understand what problem you're trying to solve
that isn't already solved by tunnel mode, there are some weaknesses in
this scheme as you've outlined it here. First, unless you have
port-specific routing, you can't implement the full glory of IPsec SPDs
(I'm perfectly willing to listen if you want to say that that's a
feature, not a bug). Second, I'm not sure that you can easily check
incoming packets against your policy table, given this model. And
that's important.
--Steve Bellovin, http://www.research.att.com/~smb
Full text of "Firewalls" book now at http://www.wilyhacker.com
Follow-Ups: