questions on draft-touch-ipsec-vpn

[Mark Duffy <mduffy@quarrytech.com>]

Hi, I have a few questions for the authors of draft-touch-ipsec-vpn-03.txt.

The draft addresses the use of IPsec to secure the virtual links of an
overlay network.  In this application, the goal is to make forwarding
decisions based on evaluating the packet destination address against a
forwarding table, rather than by evaluating a set of packet selectors
against an SPD.  I.e. the policy aspect of IPsec is not desired in this
application and must somehow be gotten around.

The draft describes using IP-in-IP tunnelling and securing the result with
transport mode IPsec (IIPtran).  Why choose this approach over simply
negotiating tunnel mode IPsec with wild-card selectors (i.e. 0.0.0.0/0) and
then at a higher level using the routing decision to choose which tunnel to
use?

IIPtran may appear to retain more vestiges of IPsec policy (i.e. the policy
being to apply transport mode IPsec to all traffic between the tunnel end
points) but I believe this is illusory as in fact the same packets get the
same IPsec treatment with IIPtran as with the wild-card selectors approach.
 In the final analysis, both approaches make the entire decision based only
on the overlay forwarding table.

I get a hint from reading the draft that the proposal may be motivated by
an implementation environment where there is already a platform with an IP
stack and IPsec embedded in it, and it is desired not to change the IPsec
implementation or its relationship to the rest of the IP stack.  Is that
the reason for this choice of approaches?

Thanks,  Mark