On Wed, 16 Nov 2011, Frederic Detienne wrote:
And like I said earlier, the amount of negotiation when there are multiple prefixes to
protect is limited to one. With "modern ipsec tunneling" (got to love that),
there is still a lot of negotiation going on.
We are talking about potentially hundreds of subnets behind a branch here.
And it is great that those subnets will not be able to be spoofed from other
branches!
Reverting to a 0/0 <-> 0/0 policy is less secure and imho, lazy :)
Paul
On 16 Nov 2011, at 10:51, Yoav Nir wrote:
On Nov 16, 2011, at 9:32 AM, Tero Kivinen wrote:
What you call other fancy features is what I call functional separation.
IPsec does encryption well, but in reality it does a fairly poor job of
tunneling. So lets have IPsec do what it does well and have GRE do what
it does well and that is tunneling.
So you still didn't explain what GRE does better than modern IPsec
tunneling?
I think GRE (or any tunnel that is not IPsec - like L2TP) allows them to avoid
having to deal with RFC 4301 stuff like SPD. The only selector they need is for
the GRE tunnel (protocol 43?) or the L2TP tunnel (UDP 1701).
That means that your security policy is effectively determined by the routing
protocol.
Yoav
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
