> On May 7, 2020, at 8:15 AM, Neale Ranns (nranns) <nra...@cisco.com> wrote: > > > Hi Chris, > > They were replaced by ipip interfaces protected by SAs: > https://wiki.fd.io/view/VPP/IPSec#Tunnel_Mode > > the tunnel always adds encap. You can configure your SA to add additional > encap if you want.
Ok, but that's not a replacement for the old functionality, right? The old functionality had the SA tunnel represented as an unnumbered interface that could be routed onto efficiently using the FIB. The unnumbered interface used the SA tunnel endpoint addresses. The wiki shows the that SA tunnel mode is re-encapsulating the already encapsulated IP-IP tunnel traffic. So now I have 3 IP headers instead of the 2 IP headers as before? Putting aside the wasted IP header bandwidth for the moment though, I don't understand what's actually supposed to be happening here. What does the configuration look like? I have an SA with endpoints (Local-IP,Remote-IP) and I have user traffic with (User-SIP,User-DIP). Previously I had an unnumbered interface that used the SAs (Local-IP,Remote-IP) for it's IP header. I then routed traffic for (User-DIP) over that unnumbered interface. How does one configure that with this ipip tunnel replacement? I did read through the Wiki and it seems that this change was motivated by wanting to cleanup the IPsec API, but that hardly seems like justification to eliminate the efficient use of an entire variant of commonly used IPsec functionality. Could we bring back the functionality using more "acceptable to the project" APIs or something? Thanks, Chris. > > /neale > > > From: <vpp-dev@lists.fd.io> on behalf of Christian Hopps <cho...@chopps.org> > Date: Wednesday 6 May 2020 at 14:32 > To: vpp-dev <vpp-dev@lists.fd.io> > Cc: Christian Hopps <cho...@chopps.org> > Subject: [vpp-dev] IPsec tunnel interfaces? > > Hi, vpp-dev, > > Post 19.08 seems to have removed IPsec logical interfaces. > > One cannot always use transport mode IPsec. > > How can I get the efficiency of route based (FIB) IPsec w/o transport mode? > Adding superfluous encapsulations (wasting bandwidth) to replace this > (seemingly lost, hope not) functionality is not an option. > > Thanks, > Chris. >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#16272): https://lists.fd.io/g/vpp-dev/message/16272 Mute This Topic: https://lists.fd.io/mt/74027328/21656 Group Owner: vpp-dev+ow...@lists.fd.io Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
