Re: Is TS agreement necessary?

[Stephen Kent <kent@bbn.com>]

At 12:17 PM -0800 4/5/02, Kalyan Bade wrote:
>  > >  > >If an IPsec tunnel can be implemented in an interoperable 
>manner to look
>>  >  > >like a virtual point-to-point link, it can have a lot of benefits. The
>>  >  > >IPsec secured virtual point-to-point link can be made visible to the
>>  >>  >routing protocols, and we can run routing on that link to automatically
>>  >>  >get the resiliency and all the other benefits provided by 
>>routing. No need
>>  >>  >to run keepalives or DPDs, which only provide information of 
>>connectivity
>>  >>  >to the IPsec gateways, and provide no information about the 
>>connectivity
>>  >>  >to the traffic destination. We can route multicast traffic across the
>>  >>  >point-to-point link too. Yes, we loose the limited access control that
>>  >>  >IPsec provides, but any serious deployment would not soley 
>>depend on the
>>  >>  >access control provided by IPsec.
>
>I have seen customers asking for, what Chinna has mentioned above. Treat
>the IPsec tunnel as a point-to-point interface and let the routing
>protocols/MPLS uses it as an interface in its code. Infact they want to
>treat IPsec exactly as an IP-in-IP tunnel or a GRE tunnel (tunnel MPLS
>packets too, treating them as some transport data). This could always be
>done by treating the phase-2 identities as 0/0. Any comments on the
>above approach.
>
>Thanks,
>Kalyan.

This is closer to the flavor of what L2TP does with IPsec, in 
transport mode. The clients you cite appear to want just 
point-to-point crypto protection and as you noted, you can achieve 
that by using rather promiscuous selectors.

Steve