Re: typical IPsec-based VPNs incl. modecfg vs. DHCP

[Stephen Kent <kent@bbn.com>]

At 2:29 PM -0800 2/13/03, Scott G. Kelly wrote:
><SNIP>
>
>As a matter of clarification, the "virtual interfaces" I refer to above
>are also called "tunnel interfaces" in some implementations. I saw some
>early open source ipsec implementations which used this approach (maybe
>bsd-based). Basically, a tunnel is established, and then the tunnel is
>treated as an interface (a virtual interface). There is no SPD/SAD
>selection, per se; rather, a standard routing lookup determines which
>interface a packet exits via, and ipsec tunnels have vif entries in the
>routing table, making them look like "exit interfaces".
>
>In such cases, no SPD entries are consulted following the routing
>lookup, and the routing table (effectively) becomes the SAD/SPD. I think
>this has obvious issues in terms of satisfying the selector criteria you
>outlined in RFC2401, for the reasons I enumerated above.
>
>I also think this is significantly different than what you are referring
>to above (the design you are developing), and I think you refer to the
>same sort of design I described as having implemented in order to
>support independent, per-interface policies. I hope you didn't think I
>intended to criticize your approach. On the contrary, I think this model
>is very powerful.
>

No problem, Scott. I was catching up on mail and got things out of 
order. I understand the differences between what you described and 
what I have suggested. My message was really a clarification for the 
list, nothing more.

Steve