[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ipsec in tunnel mode and dynamic routing



If all you want is to use IPsec for packet encryption and don't care
about access control, this should suffice.  However you wont get
source-address verification of packets.

-derek

"Steven M. Bellovin" <smb@research.att.com> writes:

> While I'm not certain I understand what problem you're trying to solve 
> that isn't already solved by tunnel mode, there are some weaknesses in 
> this scheme as you've outlined it here.  First, unless you have 
> port-specific routing, you can't implement the full glory of IPsec SPDs 
> (I'm perfectly willing to listen if you want to say that that's a 
> feature, not a bug).  Second, I'm not sure that you can easily check 
> incoming packets against your policy table, given this model.  And 
> that's important.
> 
> 		--Steve Bellovin, http://www.research.att.com/~smb
> 		Full text of "Firewalls" book now at http://www.wilyhacker.com
> 
> 

-- 
       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
       Member, MIT Student Information Processing Board  (SIPB)
       URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
       warlord@MIT.EDU                        PGP key available


References: