Re: typical IPsec-based VPNs incl. modecfg vs. DHCP

["Scott G. Kelly" <scott@airespace.com>]

Francis Dupont wrote:
<trimmed...>

>    - Typical IPsec implementations. Most of them are bump in the stack
>    (software ones).. Am I correct? Does it mean that IP routing is the only way
>    to direct traffic into the right tunnels? i.e destination address based. Are
>    their any implementations that do not follow this paradigm. Any pointers
>    would be helpful.
> 
> => I disagree: at the initiator side the only needed thing is a SPD
> with some entries to disable infinite recursive protection and an entry
> for everything else. The SPD is used before routing so the routes are
> the same in general with and without the VPN.
> At the responder/SG side, the only problem is the reverse routing.
> Proxy ARP/ND works well for VPNs to hosts but for VPNs to subnetworks
> only reverse route injection does the job.
> 

I'm not sure I fully understand what you just said, but one of the
things I think I just read is that routing happens after SPD use. I
think this is highly implementation specific. I've created an
implementation which supports per-interface policies. In this
implementation, the SPD for the ingress interface is consulted upon
receiving a packet, and the appropriate policy is applied. After this
step, a routing lookup is performed to determine the exit interface, and
then the SPD associated with that interface is consulted. This is a
powerful model with interesting properties.

Now, you could say that the SPD is used before routing, as the one on
the ingress interface certainly is, but what about the one on the egress
interface? As for routes being the same with or without the VPN, this is
typically true for exiting packets, although not necessarily in cases
where an encapsulation occurs due to policy related operations.

Scott


Scott