>>>>> "Mike" == Mike Sullenberger <[email protected]> writes:
Mike> We use other tunnel mechanisms (GRE), because IPsec tunneling
Mike> mode is lacking in functionality. For example, when you use
Mike> GRE for the tunneling you also reduce the IPsec SA's that are
Mike> needed to "describe" the traffic for IPsec to encrypt. If you
Mike> use IPsec tunnel mode only then for each pairing of subnets
Mike> behind each peer you need a separate IPsec SA. For example if
Mike> there are 5 subnets each behind two peers then you need up to
Mike> 25 SA pairs to describe exactly what needs to be encrypted and
Mike> nothing more. If you tunnel the data traffic first then you
Mike> only need 1 SA pair for all traffic, since IPsec encrypts the
Mike> tunnel itself and not the traffic within the tunnel.
>> So, you trade IPsec SAs ("security ACLs") for extended
>> access-lists and routing tables. I don't see a difference if
>> both are automatically updated by a policy engine.
>>
>> I can see that this might matter for devices with fixed purpose
>> ASICs that accelerate one kind of access list, but not another..
Mike> I am not sure where you are getting a set of extended
Mike> access-lists. There aren't any extended access-lists added.
Mike> If a packet is routed through the tunnel it is encapsulated
Mike> and then encrypted. There isn't any access-list necessary.
Oh, I'm sorry, I thought you were creating a secure network!
What you are saying is that you are creating an overlay network, where
different sites can impersonate each other!
Mike> What you call other fancy features is what I call functional
Mike> separation. IPsec does encryption well, but in reality it does
Mike> a fairly poor job of tunneling. So lets have IPsec do what it
Mike> does well and have GRE do what it does well and that is
Mike> tunneling. Then you add NHRP do to next-hop
>> I'm curious if you've worked with any other vendor's IPsec?
>> Because the issues you describe seem to be implementation
>> limitations.
Mike> I have worked some with other vendor's IPsec when
Mike> troubleshooting interaction issues. I still believe that
Mike> IPsec at the base is not a good tunneling protocol.
CISCO IOS IPsec is a poor tunneling protocol.
Many other vendors do a better job.
--
] He who is tired of Weird Al is tired of life! | firewalls [
] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[
] [email protected] http://www.sandelman.ottawa.on.ca/ |device driver[
Kyoto Plus: watch the video <http://www.youtube.com/watch?v=kzx1ycLXQSE>
then sign the petition.
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec
