[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPSec on 2.4.2/IPv4



Are we *absolutely sure* we're not confusing 
(1) IP-layer encryption (that may.. I hope still.. exist in upcoming OS
implementations) 
with
(2) tunneling software (or a tunneling kernel driver) that implements a
simple "tunnel-over-network-interface" to abide with existing
interface/routing mechanisms in linux and that just UTILIZES IPSec (albeit
not to its full extent) as an encryption mechanism?

Is anone familiar with other OS implementations of IPSec or IETF's draft
of what facilities a full implementation should provide? (I think I'm off
to do some RFC reading... :-))


---= Miki Shapiro =------------------
 ---= Cell: (+972)-56-322433 =--------
  ---= ICQ: 3EE853 =-------------------
   ---= Windows Programmer in Rehab =---
    -------------------------------------

"If at first you don't succeed...
.. Skydiving is probbably not for you."

On Sun, 20 May 2001, Ilya Konstantinov wrote:

> On Sun, May 20, 2001 at 04:35:23PM +0300, Miki Shapiro wrote:
> > I seemed to have an idea (or possibly a misconception) that IPSec talked
> > about generic enctyption on the IP layer
> 
> I thought so too, when I first heard about the term, but now I'm not
> too sure. Guys, correct me if I'm wrong.
> 
> > more than enough at the moment - Cisco's Gre-over-IP, MS-VPN, Checkpoint's
> > VPN, The linux kernel IP Tunnel (some of these are probbably the same, I'm
> > not intimately acquainted with them all...) and other FW vendors probbably
> > have another proprietary protocol or two up their sleeves. 
> 
> Actually, the nice thing about those VPNs and FreeS/WAN is that they all
> use the IPSec protocol and thus can interopperate (so you can tunnel
> from Linux to Win2K, VPN-1 or a Cisco).
> 
> > Moreover, you can't have two clients on host A and two servers on host B
> > where one pair would be talking encrypted and the other not?
> 
> It's not a feature of the socket (e.g. setting an ENCRYPTED flag) which
> the application can control, but simply a route for the packet, just
> like ppp0 or eth0.
> 
> -- 
> Best regards,
> Ilya Konstantinov
> 


=================================================================
To unsubscribe, send mail to linux-il-request@linux.org.il with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail linux-il-request@linux.org.il