--W/nzBZO5zC0uMSeA
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Sun, May 13, 2007 at 06:51:29PM -0400, Greg Troxel wrote:
>=20
> Jason Thorpe <thorpej@shagadelic.org> writes:
>=20
> > Yah, I gotta say, I always thought tunnel mode IPsec was stupid.
>=20
> I see your point, but note that tunnel mode IPsec lets you use the SPD
> to choose the packets to which IPsec is applied, and to validate that
> those packets coming out of the tunnel are also valid.

You can, but unfortunately the ipsec spd packet filter language is so
impoverished (no connection state tracking, etc..) that this is much
harder and less convenient than it should be. Essentially, it gets
used as a much blunter instrument than the other packet filter
languages available (ipf/pf).

The spd language is a good fit for saying things like "encrypt gre
transport between me and thee", though.

> So you need firewall and routing and IP-IP and transport to replace it.

Precisely; this is the desired basis of the exercise, rather than some
kind of overhead or disincentive cost. The point is to be able to use
these tools with ipsec, rather than in spite of it.  Unifying the SPD
with the rest of the packet matching mechanism (eg, "encrypt" actions
as well as block or pass) would be very nice, but has not found an
interested and capable volunteer.

--
Dan.
--W/nzBZO5zC0uMSeA
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (NetBSD)

iD8DBQFGR6cmEAVxvV4N66cRAhARAKDgJmD+PCra9YHZxyElxGv5RN9+FQCfUE7E
niY7JeiM5wpbcVvPABTASI0=
=JJQN
-----END PGP SIGNATURE-----

--W/nzBZO5zC0uMSeA--