[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: routing and outbound.



Mahdavi,

are you doing hop-by-hop IPSec, i.e. construct a virtual topology out of
IPsec tunnels? If so, we have some information on this in
draft-touch-ipsec-vpn-01.txt (expired, -02 has been submitted, but not yet
announced).

If you aren't (i.e. you're simply routing IPsec packets), nothing happens
at routers: IPsec is end-to-end.

Or maybe I didn't understand your question correctly?

Lars
--
Lars Eggert <larse@isi.edu>               Information Sciences Institute
http://www.isi.edu/larse/              University of Southern California


-----Original Message-----
From: owner-ipsec@lists.tislabs.com
[mailto:owner-ipsec@lists.tislabs.com]On Behalf Of Mahdavi
Sent: Sunday, November 25, 2001 5:56 AM
To: ipsec
Subject: routing and outbound.


Hi.

Imagine an IPSEC armed router. As any knows routers have interfaces. Each
interface may be IPSEC enabled or not( Am I right !!?? ).

Upon arrival of any packet to router which serries of task must be done on
the acket?

1- Inbound , Outbound and then Routing.
2- Inbound , Routing and then Outbound.
3- Routing , inbound and then Outbound.

each of these configuration has weaknesses.

a)-in case 1 there is high probability danger of denial of service for
protected subnetwork when at least one of routers interfaces is IPSEC
unarmed.
b)-case 2 has logical flaw. After Outbound process new packet will be made
with new IP header. so this needs routing again.
c)- case 3 means that IPSEC Process must be done after Routing. this has
spoofing danger.

now what configuration is correct or may be I have a basic
missundrestanding.

best regars

mahdavi

smime.p7s


Follow-Ups: References: