Re: [Ipsec] Ipsec // Tunn-Encry

[Yoav Nir <ynir@xxxxxxxxxxxxxx>]

Hi Ran.

First, this is the IPsec mailing list, so you should not assume that 
everybody knows what an MGC is.

Anyway, the answer depends on the MGC and MG. If they're both 
IPsec-capable computers, they don't need tunneling. If they're behind 
IPsec-capable gateways, they do need tunneling.

The question is whether the signaling info is secret - whether it is 
required that it be hidden (encrypted) or it's enough that the MG know 
that it really came from the MGC.  If you only need authentication AH is 
enough. If you need encryption, you need ESP. This really depends on the 
application requirements.

So, for IPsec-capable MG and MGC, you can use Transport mode IPsec. For 
non-IPsec capable peers, you need tunnel mode.

For authentication only you need AH.  For encryption, you need ESP.

For some applications (I have no idea about yours) there is some 
specification of what kind of IPsec to apply.  For example, L2TP 
mandates ESP in Transport mode. If there is such a standard for MGC-MG 
connections, you should probably stick with that.

Yoav


Randall Solano wrote:
> Hello All:
>
> IPsec for signaling links (control call) between MGCs
> and MG.
> What would you use?  IPsec Tunneling or Encry.
>
>
>
> Ran
>
>
> __________________________________________________
> Correo Yahoo!
> Espacio para todos tus mensajes, antivirus y antispam ¡gratis! 
> Regístrate ya - http://correo.espanol.yahoo.com/ 
>
> _______________________________________________
> Ipsec mailing list
> Ipsec@xxxxxxxx
> https://www1.ietf.org/mailman/listinfo/ipsec
>   


_______________________________________________
Ipsec mailing list
Ipsec@xxxxxxxx
https://www1.ietf.org/mailman/listinfo/ipsec