[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ipsec in tunnel mode and dynamic routing





Steven M. Bellovin wrote:

> In message <3BF9599C.1060300@isi.edu>, Lars Eggert writes:
> 

>>The basic idea of our draft is to allow IPsec transport mode together
>>with IPIP tunnels as an alternative to IPsec tunnel mode. In that case,
>>routing is based on virtual (tunnel) interfaces, and IPsec is applied
>>after routing (unlike IPsec tunnel mode, which encrypts and then routes
>>in one step).
> 
> While I'm not certain I understand what problem you're trying to solve 
> that isn't already solved by tunnel mode, there are some weaknesses in 
> this scheme as you've outlined it here.  First, unless you have 
> port-specific routing, you can't implement the full glory of IPsec SPDs 
> (I'm perfectly willing to listen if you want to say that that's a 
> feature, not a bug).  Second, I'm not sure that you can easily check 
> incoming packets against your policy table, given this model.  And 
> that's important.


Steve -

Our ID has been out for quite a while, and was presented in Adelaide in 
Spring 2000 (it even expired, but a copy is available on my website at 
http://www.isi.edu/touch/pubs/draft-touch-ipsec-vpn-01.txt)

The ID describes in detail:
	- the problem we're trying to solve and
	why it is not solved by tunnel mode

	- how incoming packets are checked, and why checking them
	is already required (turns out you can use our mode for
	outbound and tunnel mode for inbound just fine, BTW)

Can you rephrase your concerns in the context of the content of the draft??

Thanks,

Joe



Follow-Ups: References: