[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ipsec in tunnel mode and dynamic routing



Howdy,

	comment below...

> 
> Ricky Charlet wrote:
>  > One large point to keep in mind about that draft is that its intended
>  > purpose is to create overlay networks. The interested audience for
>  > this is comparatively small. It goes beyond the aims and purposed of
>  > creating secure VPN networks.
> 
> Not necessarily. Using IPIP tunnels + ipsec transport mode is a full
> replacement for IPsec tunnel mode, i.e. you're not loosing anything
> by always using the former instead of the latter. Thus, you can use
> our approach to "only" create secure VPNs, with don't need dynamic
> routing.
> 

	First off, I want to say that I respect the IPsec based overlay network
stuff that you and Joe have done. I am not commenting negatively on that
work. But I have never before considered it as a replacement for our
current IPsec tunnel mode. I was not aware that this was part of your
vision for IPIP encap + IPsecTransport.
	
	And I think you may be overreaching in that aim. Even if the
IPIPencap+IPsecTransport preserved all the security properties of IPsec
Tunnels (and I would need to be convinced of that), It still introduces
a large bit of management complexity. IPsec gateways would be
responsible for encapsulating to and securing with a peer who was
selected by a dynamic routing protocol rather than administratively
configured. It seems on the face of it, that a VPN network which can
have its peers altered by routing protocols is more open to DOS in
particular and less trustable in general. It also requires
administrators to configure security policy on all IPsec gateways which
MIGHT be selected as peers - and that seems a burdensome task and
difficult thing to keep current.

	If you don't mind, I've grown quite comfortable with tunnel mode and
would like to keep it for my VPNs if there is no pressing reason to
change.

-- 
"They that can give up essential liberty to obtain a little temporary 
safety deserve neither liberty nor safety." Benjamin Franklin

  Ricky Charlet   : SonicWall Inc.   : usa (510) 497-2103


Follow-Ups: References: