On Tue, 5 Nov 2013, Manish Kumar (manishkr) wrote:
"I don't like that DMVPN does not let http traffic continue to travel via
HQ's
virus/trojan/netnanny while RTP takes the shortcut."
While I do appreciate that the following could represent a valid used
case, it would be inaccurate to say DMVPN doesn't allow this. It does
allow but not using the IPSec tools; the protocol programming the
forwarding layer(could be policy based) controls what goes via the hub as
opposed to what goes on the shortcut tunnel. Also, I would see this more
as a path selection problem more than 'the kind of security treatment a
certain class of traffic needs' - it's another matter that different paths
provide different security services/treatment. Since, the network topology
information and hence the path that a class of traffic may take is not
privy to IKE/IPSec, it's only appropriate that a protocol aware about this
takes this call. This is the reason I don't concur with your other comment
about doing this in IKE.
Couldn't that policy be exposed in IKE using traffic selectors for port
80 or 443? In all of the three proposed solutions?
Paul
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec
