--yrj/dFKFPuw6o+aM
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

On Fri, Apr 09, 2004 at 04:20:11PM +0200, Martin Husemann wrote:
> And you can get at the complete ethernet frames easily by running
> tcpdump on the raw ethernet interface instead of on pppoe0.

This, to me, indicates part of the "problem" with the ipsec case: it
would be very handy to have decrypted packets appear again on another
virtual interface. A number of interface-oriented tools can then work
with those packets as normal, including tcpdump, ipf and others.

It can be simulated, if you have control and the right capabilities at
both ends of the connection - by using gre(4) or gif(4) tunnels and
transport-mode IPsec on the gif/gre packets, rather than IPsec
tunnels.  I have found this to be much more convenient, for the above
reasons, and also for working around some PMTU cases, but it's
somewhat hackish - certainly not applicable generally.

--
Dan.



--yrj/dFKFPuw6o+aM
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (NetBSD)

iD8DBQFAex0zEAVxvV4N66cRAuD/AJ9KT6v1kOWebQcPa9o/iAViTAGCNQCgmXEN
rSMujzPu2X8s4U9sfutFfcQ=
=XB3X
-----END PGP SIGNATURE-----

--yrj/dFKFPuw6o+aM--