[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: VPN Touch doc

To: sra@hactrn.net
Subject: Re: VPN Touch doc
From: Bill Fenner <fenner@research.att.com>
Date: Thu, 16 Oct 2003 08:07:09 -0700
Cc: iesg@ietf.org
References: <200310160202.h9G22nN20682@windsor.research.att.com> <20031016035004.203A818E8@thrintun.hactrn.net>
Versions: dmail (solaris) 2.5a/makemail 2.9d

>bill's comment "Perhaps all working ipsec tunnels on BSD-based
>operating systems use virtual interfaces" is overstating the case at
>least slightly.

Yup, I should have said "Perhaps all working ipsec tunnels in cases
where source address selection is necessary to cause traffic to work
inside the tunnel", i.e., the case where the host has to send with
an address that belongs to the tunnel endpoint which is only present
in the SPD.

>taking a step back, the real problem here, as far as i can tell, is
>that overlay networks are confusing when a single ip engine with a
>single ip forwarding table has to operate in both the overlay
>network(s) and the base network.

Right, and for 2547 VPNs people create multiple routing tables or
stack multiple IP stacks.  The same solution could apply here if
you use tunnels underneath IPsec.

>which makes me suspec that
>some of what the touch draft is on about may be implementation issues
>rather than anything fundamental about ipsec tunnel mode.

I think that's at least partly true; or, the *BSD implementation brings
out these points (which may be hard to get right in this case without
rewriting the stack with IPsec in mind).

  Bill

References:
- Re: VPN Touch doc
  - From: Bill Fenner <fenner@research.att.com>
- Re: VPN Touch doc
  - From: Rob Austein <sra@hactrn.net>

Prev by Date: Re: draft-ogura-mapos-nsp-multiexp-02.txt
Next by Date: draft-ogura-mapos-nsp-multiexp-02.txt
Previous by thread: Re: VPN Touch doc
Next by thread: Informational RFC to be: draft-hayashi-igap-03.txt
Index(es):
- Date
- Thread