[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ipsec in tunnel mode and dynamic routing

To: "Steven M. Bellovin" <smb@research.att.com>
Subject: Re: ipsec in tunnel mode and dynamic routing
From: Joe Touch <touch@ISI.EDU>
Date: Mon, 19 Nov 2001 14:30:19 -0800
CC: Lars Eggert <larse@ISI.EDU>, Ricky Charlet <rcharlet@redcreek.com>, Giaretta Gerardo <Gerardo.Giaretta@TILAB.COM>, ipsec@lists.tislabs.com, Derek Atkins <warlord@mit.edu>, xbone@ISI.EDU
References: <20011119193857.6C4687B55@berkshire.research.att.com>
Sender: owner-ipsec@lists.tislabs.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:0.9.4) Gecko/20011019 Netscape6/6.2

Steven M. Bellovin wrote:

> While I'm not certain I understand what problem you're trying to solve 
> that isn't already solved by tunnel mode, there are some weaknesses in 
> this scheme as you've outlined it here.  First, unless you have 
> port-specific routing, you can't implement the full glory of IPsec SPDs 
> (I'm perfectly willing to listen if you want to say that that's a 
> feature, not a bug).  

FWIW - this is yet another place where I'd prefer to let firewall rules 
do their job, and IPsec to its. So yes, since I believe this can already 
be done with existing mechanisms, I don't care whether it defeats 
IPsec's ability to integrate it. (at least at first look that's how it 
appears)

The "full glory" (IMO) here lies in modularization rather than a stovepipe.

Joe

Follow-Ups:

Re: ipsec in tunnel mode and dynamic routing

From: Henry Spencer <henry@spsystems.net>

Re: ipsec in tunnel mode and dynamic routing

From: Stephen Kent <kent@bbn.com>

References:

Re: ipsec in tunnel mode and dynamic routing

From: "Steven M. Bellovin" <smb@research.att.com>

Prev by Date: Re: SOI: identity protection and DOS
Next by Date: Re: ipsec in tunnel mode and dynamic routing
Prev by thread: Re: ipsec in tunnel mode and dynamic routing
Next by thread: Re: ipsec in tunnel mode and dynamic routing
Index(es):
- Main
- Thread