Re: Is TS agreement necessary?

["Chinna N.R. Pellacuru" <pcn@cisco.com>]

On Fri, 5 Apr 2002, Kalyan Bade wrote:

> > >  > >If an IPsec tunnel can be implemented in an interoperable manner to look
> > >  > >like a virtual point-to-point link, it can have a lot of benefits. The
> > >  > >IPsec secured virtual point-to-point link can be made visible to the
> > >>  >routing protocols, and we can run routing on that link to automatically
> > >>  >get the resiliency and all the other benefits provided by routing. No need
> > >>  >to run keepalives or DPDs, which only provide information of connectivity
> > >>  >to the IPsec gateways, and provide no information about the connectivity
> > >>  >to the traffic destination. We can route multicast traffic across the
> > >>  >point-to-point link too. Yes, we loose the limited access control that
> > >>  >IPsec provides, but any serious deployment would not soley depend on the
> > >>  >access control provided by IPsec.
>
> I have seen customers asking for, what Chinna has mentioned above. Treat
> the IPsec tunnel as a point-to-point interface and let the routing
> protocols/MPLS uses it as an interface in its code. Infact they want to
> treat IPsec exactly as an IP-in-IP tunnel or a GRE tunnel (tunnel MPLS
> packets too, treating them as some transport data). This could always be
> done by treating the phase-2 identities as 0/0. Any comments on the
> above approach.
>
> Thanks,
> Kalyan.
>

Infact the majority of what we call "site-to-site" deployments use GRE as
a point-to-point virtual link, and use IPsec to protect the GRE tunnel.
But, not everybody implements GRE, and this becomes an interoperability
issue.

I agree, it would be very useful to specify an interoperable way of having
an IPsec tunnel be treated as a virtual point-to-point link, and not have
to rely on GRE always. GRE has some more benefits like we can encapsulate
all kinds of protocols in GRE, and not just IP.

    chinna

chinna narasimha reddy pellacuru
s/w engineer