[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: ipsec in tunnel mode and dynamic routing
But that's not "in the core". That is at the edge. To return to the
picture:
B
/ \
X - A D - Y
\ /
C
The 'core' would be B and C; the edges would be A and D. A and D can
still be multihomed, and you get an N*M number of tunnels between the
M addrs of A and the N addrs of D. But traversals through B and C
don't work that way. For example, packets could traverse from C to B
via A... How do you "access control" that? And if you don't then
you're no longer doing open dynamic routing..
-derek
Henry Spencer <henry@spsystems.net> writes:
> On 19 Nov 2001, Derek Atkins wrote:
> > ...Aren't dynamic routing and access-control
> > checks mutually exclusive in the "core"?
>
> Not necessarily. Dynamic routing doesn't have to be an all-or-nothing
> process; it's quite conceivable to have dynamic routing operating within
> access-control restrictions. The simple example is having separate IPsec
> connections to two different gateways into the same corporate network, to
> protect your traffic against gateway outages. People really want to be
> able to do redundant, dynamically-selected paths for IPsec traffic.
>
> Henry Spencer
> henry@spsystems.net
>
--
Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
Member, MIT Student Information Processing Board (SIPB)
URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH
warlord@MIT.EDU PGP key available
Follow-Ups:
References: