On Nov 5, 2013, at 1:45 PM, Paul Wouters <[email protected]> wrote:
> On Tue, 5 Nov 2013, Manish Kumar (manishkr) wrote:
>
>> "I don't like that DMVPN does not let http traffic continue to travel via
>> HQ's
>> virus/trojan/netnanny while RTP takes the shortcut."
>>
>> While I do appreciate that the following could represent a valid used
>> case, it would be inaccurate to say DMVPN doesn't allow this. It does
>> allow but not using the IPSec tools; the protocol programming the
>> forwarding layer(could be policy based) controls what goes via the hub as
>> opposed to what goes on the shortcut tunnel. Also, I would see this more
>> as a path selection problem more than 'the kind of security treatment a
>> certain class of traffic needs' - it's another matter that different paths
>> provide different security services/treatment. Since, the network topology
>> information and hence the path that a class of traffic may take is not
>> privy to IKE/IPSec, it's only appropriate that a protocol aware about this
>> takes this call. This is the reason I don't concur with your other comment
>> about doing this in IKE.
>
> Couldn't that policy be exposed in IKE using traffic selectors for port
> 80 or 443? In all of the three proposed solutions?
Not really. In DMVPN the only selectors are {Gw-IP, GW-IP, Proto=47}, because
everything goes through a GRE tunnel.
In draft-mao it's IPsec tunnels, but they still use universal selectors and
selecting traffic through a routing protocol.
In both cases you can get what you're looking for if you have routing based on
port. It's only in draft-sathyanarayan that you can do that with IPsec traffic
selectors.
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec
