[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: ipsec in tunnel mode and dynamic routing
If all you want is to use IPsec for packet encryption and don't care
about access control, this should suffice. However you wont get
source-address verification of packets.
-derek
"Steven M. Bellovin" <smb@research.att.com> writes:
> While I'm not certain I understand what problem you're trying to solve
> that isn't already solved by tunnel mode, there are some weaknesses in
> this scheme as you've outlined it here. First, unless you have
> port-specific routing, you can't implement the full glory of IPsec SPDs
> (I'm perfectly willing to listen if you want to say that that's a
> feature, not a bug). Second, I'm not sure that you can easily check
> incoming packets against your policy table, given this model. And
> that's important.
>
> --Steve Bellovin, http://www.research.att.com/~smb
> Full text of "Firewalls" book now at http://www.wilyhacker.com
>
>
--
Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
Member, MIT Student Information Processing Board (SIPB)
URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH
warlord@MIT.EDU PGP key available
References: