tech-net archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: IPsec vs ssh

On Fri, Nov 15, 2013 at 12:00:07AM -0800, John Nemeth wrote:
> } > 
> } >     A tunnel is basically encapsulation of any sort.  So, when you
> } 
> } Wrong, wrong, wrong.  IPsec has separate tunnel and transport modes.
>      If you had been following the thread, and seen the configuration
> examples you would have seen that he was using IPSec in tunnel
> mode.  Transport mode, of course, doesn't encapsulate the packet;
> it simply adds an ESP header (and encrypts the data portion) or an
> AH header.  Regardless of this, the statement that, "A tunnel is
> basically encapsulation of any sort," stands on it's own, and is
> correct.  NOT WRONG!!!

I'm sorry you're upset, but what you said was still incorrect, and
shouting about it strikes me as vaguely like spitting at the sky because
it's raining.

IPsec transport-mode encapsulation is not "a tunnel" by any reasonable
definition of "a tunnel" I can think of.  Neither is the encapsulation
of TCP in IPv4 nor in IPv6.  Encapsulating a Mifare RFID tag in a glass
bead for injection under the skin of a cat, similarly, is not a tunnel.

Indeed, the only sort of rationale I can think of to support the claim
that "a tunnel is basically encapsulation of any sort" is one of the
form "because a tunnel is basically encapsulation of any sort".  But,
for one reason or another, I do not find that terribly persuasive.


Home | Main Index | Thread Index | Old Index