[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Do we actually need dynamic ports?



When I was talking about dynamic selectors, it was not just ports. The
scenario I had in mind was a customer who is replacing his leased lines with
a tunnel.

With the leased lines, the packet travels over the leased line based on
which interface the packet arrives. The customer may add or delete  private
addresses to his subnet. As long as his router knows how to reach the
interface, the service provider does not have to change any configuration.

If the service provider replaces this leased line with IPSec tunnel, can he
continue to do what he did with the leased lines?  ie tunnel the packet
based on the interface the packet arrives. If the tunnel setup requires the
network addresses at the two tunnel end points, then he has to update his
configuration whenever the customer adds/deletes subnets. This was not
required in the case of leased lines.

We can solve this with IP-in-IP and transport mode or 0.0.0.0/0 (which
requires more work if you have multiple leased lines ) but with just a IPSec
complaint device, we will not be able to do it cleanly.  Being able to setup
a tunnel without having to agree on selectors should be considered.

Thanks,
-Rajesh M








----- Original Message -----
From: "Mike Ditto" <ford@incog.com>
To: <ipsec@lists.tislabs.com>
Sent: Thursday, March 28, 2002 3:23 PM
Subject: Re: Do we actually need dynamic ports?


> > How many are there, actually?
>
> Don't forget RealAudio and SQLNet.
>
> -=] Mike [=-