On Thu, 2002-11-28 at 15:59, Michel Py wrote: > Mark, > > > Mark Smith wrote: > > I've always thought we were trying to solve this same > > single problem, and GUPIs and GUSLs were basically the > > same thing. > > > GUSL solves the merger thing, but not the VPN.
I'm not sure I see the difference. Presuming running IPsec in tunnel mode, the outer addressing (ie your tunnel end points) is using global addresses, but the inner addressing is what ever you like it to be (and is hidden from the Internet anyway as the IPsec ESP encrypted payload). What addressing would nodes use when they decide to talk to each other over the IPsec tunnel ? If the nodes use their global addresses, then the IPsec tunnel becomes a single-hop short circuit of the Internet routing infrastructure between the sites. The advantage it adds is the encryption and authentication of the traffic between sites. But if nodes want to that level of security, an alternative is to do end-to-end opportunistic IPsec between the nodes themselves. I'm not sure if there is a problem with using global addresses inside a site-to-site IPsec tunnel, I'll need to think about it some more. I do need to put together a follow up email on a related IPsec / site-local topic though. Regards, Mark. -------------------------------------------------------------------- IETF IPng Working Group Mailing List IPng Home Page: http://playground.sun.com/ipng FTP archive: ftp://playground.sun.com/pub/ipng Direct all administrative requests to [EMAIL PROTECTED] --------------------------------------------------------------------
