RE: I-D ACTION:draft-ietf-ipsec-rfc2402bis-01.txt

["Paul Knight" <paknight@nortelnetworks.com>]

RE: I-D ACTION:draft-ietf-ipsec-rfc2402bis-01.txt

Hi all,

Yes, this is a key issue in supporting dynamic = routing inside IPsec-based VPNs.  Applying IP-in-IP encapsulation = (RFC 2003) before transport mode results in a packet which is the same = as tunnel mode (satisfying any security issues), BUT allows routing = (i.e., setting the encapsulating destination address to the known = next-IPsec-hop) to be handled cleanly.

Regards,
Paul Knight

> -----Original Message-----
> From: Joe Touch [<3d.htm>mailto:touch@ISI.EDU]
> Sent: Wednesday, July 03, 2002 12:21 PM
> To: ipsec@lists.tislabs.com
> Subject: Re: I-D = ACTION:draft-ietf-ipsec-rfc2402bis-01.txt
>
>
> Internet-Drafts@ietf.org wrote:
> > A New Internet-Draft is available from the = on-line
> Internet-Drafts directories.
> > This draft is a work item of the IP = Security Protocol
> Working Group of the IETF.
> >
> >     Title   =         : IP Authentication = Header
> >     = Author(s)       : S. Kent
> >     = Filename        : = draft-ietf-ipsec-rfc2402bis-01.txt
> >     Pages   =         : 30
> >     Date    =         : 02-Jul-02
>
> Hi, all,
>
> To start the discussion off, we'd certainly = appreciate having section
> 3.1.2 at least say "MUST use tunnel mode = or its equivalent, i.e.,
> transport over 2003-style IP = encapsulation".
>
> We have raised this issue before; details of = why are in
> draft-touch-ipsec-vpn-03.txt
>
> (and we're hoping that 2401bis more directly = addresses this issue).
>
> Joe
>
>
>