|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: IPSEC target and transport mode>I really don't like this idea. > >While it is true that Tunnel Mode >does not require the use of a gateway, Transport Mode is actually >the more general mode. > >It is possible to combine Transport Mode with any arbitrary something-in-IP >tunneling protocol (IP-IP, GRE, etc.). In the case of >Transport Mode + >IP-IP tunneling, you achieve something that is equivalent to Tunnel Mode, >thus satisfying those who need it (I >suggest that everyone read >draft-touch-ipsec-vpn-03.txt). Having worked with transport mode tunnels for a few years now (L2TP), we have come to the same conclusion. By linking SA selection to next hop forwarding, tunnel mode complicates routing considerably. Transport mode tunnels are more compatible with dynamic routing protocols. Today most tunnel mode vendors only support either static routing or BGP run down the tunnel, and that makes it very difficult for enterprise customers to manage and deploy large numbers of tunnels. Although it can be done, Tunnel mode is also more difficult to implement as an interface than Transport mode IP-IP. There already is pushback on iSCSI HBAs that cannot act as a full fledged interface; this will ensure that this continues to be a problem many years into the future. >Transport Mode is also less expensive from a processing point of view. >If you use Tunnel Mode with no gateway (i.e. inner-dest==outer-dest, >outer-source==inner-source), you still have to de-encap the packet and >re-process it, which is something you don't have to do in Transport >Mode. It would seem to me that this additional cost might be a concern in the 10 Gbps case in particular. _________________________________________________________________ Chat with friends online, try MSN Messenger: http://messenger.msn.com
Home Last updated: Sat Mar 30 21:18:16 2002 9398 messages in chronological order |