[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: questions on draft-touch-ipsec-vpn



At 12:49 PM 4/3/02 -0500, Lars Eggert wrote:
>Mark Duffy wrote:
>...
>> The draft describes using IP-in-IP tunnelling and securing the result
>with
>> transport mode IPsec (IIPtran).  Why choose this approach over simply
>> negotiating tunnel mode IPsec with wild-card selectors (i.e.
>0.0.0.0/0) and
>> then at a higher level using the routing decision to choose which
>tunnel to
>> use?
>
>Mainly because current IP routing daemons already work over IPIP 
>tunnels, while you'd have to re-implement them at that higher level and 
>make them aware of IPsec SAs. IP routing is based on the notion of 
>directly connected interfaces - the problem with some IPsec tunnel mode 
>implementations is that their SAs are not interfaces.

This consideration seems specific to certain implementation environments,
e.g. when building something running as an "application" (term used here in
a very loose sense) on top of a "standard OS".  In other environments such
as certain embedded ones I am familiar with, IPsec tunnels can just as
easily be cast as routable interfaces as IPIP tunnels can be (perhaps even
easier :-)  

Mind you, I'm not sure that IIPtran has a downside in such environments
(that's what I'm trying to figure out!)  I just don't think it has the
stated upside for such environments.

--Mark