[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPSEC tunnels for LAN-to-LAN interop issue



-----BEGIN PGP SIGNED MESSAGE-----

  stephen> 1) IP tunnel device tunnels packets, IPSEC then applies
  stephen> transport-mode protection to the IP-in-IP packets as they leave.

This is the option we choose for the X-Bone (http://www.isi.edu/x-bone), as
the KAME and CAIRN stacks do not (yet?) support option 2. The only problem
with this approach is of course that your IPsec selectors match on the outer
header, i.e. there is no way to have different SAs based on the inner
(virtual) addresses. For now, we circumvent this problem by encapsulating
twice.
 
  stephen> 2) IPSEC tunnel is modeled as an interface, and just negotiates
  stephen> tunnel mode and exposes the resulting tunnel as an interface. This
  stephen> is akin to marrying an SDP policy with an Interface.

We believe this would be the cleanest option, and we'd very much like to see
it implemented. There was a discussion about this recently on the KAME
snap-users mailing list (thread subject "RIP over IPsec tunnels?") accessible
at http://www.kame.net/snap-users/.

Lars
______________________________________________________________________________
Lars Eggert <larse@isi.edu>                     Information Sciences Institute
http://www.isi.edu/~larse/                   University of Southern California

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBN8WB/NZcnpRveo1xAQHjegP/ZXivPv0OgBVPTb/FHPikxpy2Cp5MiTRo
X8aRYO8Gm3t3tht2RSbVwhMfhh42HBhNdNyDO5DzLRHtLslMG6M7R2yt+EIvMVMx
U4cMHiIpi4NPAUOhARbe+DnI3NOcOh2XREuwiiRf1RT9Hg+SbgxDYCFuRMbYz3kh
p6bf2MKFY1c=
=NAdw
-----END PGP SIGNATURE-----