[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: ipsec in tunnel mode and dynamic routing



Some VPN operations may choose to run dynamic routing protocol through the
tunnel.
The routing keep-alive will be able to detect that an IPsec goes down and
then adjust the route accordingly. In your example, assume A-B tunnel is the
preferred path and A-C tunnel is the backup path. When A-B tunnel is down,
traffic can go through A-c tunnel.

All this discussion bring another interesting question:
How IPsec tunnel interacts with routing? Unless IPsec tunnel is implemented
as a virtual interface, it is hard to run routing through tunnel directly. I
know many vendors choose not to implement IPsec tunnel as a separate virtual
interface. 

-----Original Message-----
From: Giaretta Gerardo [mailto:Gerardo.Giaretta@TILAB.COM] 
Sent: Monday, November 19, 2001 12:05 PM
To: Derek Atkins
Cc: ipsec@lists.tislabs.com
Subject: RE: ipsec in tunnel mode and dynamic routing


ok, I can understand that the hop-by-hop example works only if I route
before I encrypt, but in ipsec documentation (i mean in ipsec RFCs), i think
it's not clear if the routing comes before 
the encryption or viceversa. Is it implementation dependent?

	Gerardo	

-----Original Message-----
From: Derek Atkins [mailto:warlord@MIT.EDU]
Sent: luned́ 19 novembre 2001 17.33
To: Giaretta Gerardo
Cc: ipsec@lists.tislabs.com
Subject: Re: ipsec in tunnel mode and dynamic routing


The hop-by-hop example only works if you route _before_ you encrypt... In
order words, you route on top of IPsec tunnels.  You can do this if you
consider your IPsec tunnels as routable interfaces.

For example, in your picture:

       B
      / \
 X - A   D - Y
      \ /
       C

.. if A has tunnels to B and C, it can use any routing protocol to choose
which tunnel (B or C) it will use.  When a packet comes in from X, it gets
routed out a tunnel, and before it gets sent out it gets encrypted.

The problem, of course, is detecting when a tunnel endpoint goes down.  This
is a problem with any kind of virtual tunnel, not just IPsec.  With
link-layer neighbors you can use the lower-layer to detect a downed link;
it's more difficult with a virtual tunnel.

However, assuming you can detect a downed tunnel, the routing protocol would
happily use the other tunnel and encrypt to C instead of B. Note that
encryption has to occur _after_ routing, otherwise you may encrypt to the
wrong destination.

-derek

Giaretta Gerardo <Gerardo.Giaretta@TILAB.COM> writes:

> ok this is right and I understand it, but the hop-by-hop basis example 
> is made in the draft.=20 Only, I want to understand the problems that 
> arise when you use both ipsec and dynamic routing.
> In the draft it's explained only if you assume a hop by hop situation.
> Is this the only situation
> in whch problems arise?
> 
> 	Gerardo

-- 
       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
       Member, MIT Student Information Processing Board  (SIPB)
       URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
       warlord@MIT.EDU                        PGP key available