[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Is TS agreement necessary?
At 12:17 PM -0800 4/5/02, Kalyan Bade wrote:
> > > > >If an IPsec tunnel can be implemented in an interoperable
>manner to look
>> > > >like a virtual point-to-point link, it can have a lot of benefits. The
>> > > >IPsec secured virtual point-to-point link can be made visible to the
>> >> >routing protocols, and we can run routing on that link to automatically
>> >> >get the resiliency and all the other benefits provided by
>>routing. No need
>> >> >to run keepalives or DPDs, which only provide information of
>>connectivity
>> >> >to the IPsec gateways, and provide no information about the
>>connectivity
>> >> >to the traffic destination. We can route multicast traffic across the
>> >> >point-to-point link too. Yes, we loose the limited access control that
>> >> >IPsec provides, but any serious deployment would not soley
>>depend on the
>> >> >access control provided by IPsec.
>
>I have seen customers asking for, what Chinna has mentioned above. Treat
>the IPsec tunnel as a point-to-point interface and let the routing
>protocols/MPLS uses it as an interface in its code. Infact they want to
>treat IPsec exactly as an IP-in-IP tunnel or a GRE tunnel (tunnel MPLS
>packets too, treating them as some transport data). This could always be
>done by treating the phase-2 identities as 0/0. Any comments on the
>above approach.
>
>Thanks,
>Kalyan.
This is closer to the flavor of what L2TP does with IPsec, in
transport mode. The clients you cite appear to want just
point-to-point crypto protection and as you noted, you can achieve
that by using rather promiscuous selectors.
Steve