[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: ipsec in tunnel mode and dynamic routing
Steven M. Bellovin wrote:
> While I'm not certain I understand what problem you're trying to solve
> that isn't already solved by tunnel mode, there are some weaknesses in
> this scheme as you've outlined it here. First, unless you have
> port-specific routing, you can't implement the full glory of IPsec SPDs
> (I'm perfectly willing to listen if you want to say that that's a
> feature, not a bug).
FWIW - this is yet another place where I'd prefer to let firewall rules
do their job, and IPsec to its. So yes, since I believe this can already
be done with existing mechanisms, I don't care whether it defeats
IPsec's ability to integrate it. (at least at first look that's how it
appears)
The "full glory" (IMO) here lies in modularization rather than a stovepipe.
Joe
Follow-Ups:
References: