Re: [Ipsec-tools-devel] tos bits propagated to the ipsec ip header

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Am Mittwoch, den 10.07.2013, 09:35 +0200 schrieb Jaco Kroon:

> Thinking about this, what is the difference between running IPSec
> *tunnel* mode, compared to running an ip-in-ip tunnel (as set up by ip
> tunnel add ??? mode ipip and then slapping on IPSec *transport* mode? 

Semantics (and IKE of course). Bitwise on the wire it is actually the
same. 

> And wouldn't that end up copying the TOS bits as required by the op
> without the additional GRE overhead?

In principle, you're right. And the ipip solution is actually almost the
same as the GRE solution, without the GRE header. OTOH the GRE solution
has other advantages, too. Some of them are:

 * IPsec/GRE is pretty much a standard solution
   (e.g. can be configured on a Cisco in one line)
 * Multiple tunnels are possible
 * GRE does behave more like a "normal interface"
 * GRE can transport IPv4, IPv6, OSPF etc. in the same tunnel.

And the additional overhead of four octets is relatively small when
compared of what you need for IPsec anyway (depending on the parameters
i.e. one IP header, one ESP header, a checksum and padding to full
cypher block size).

-- 
David Dahlberg     

Fraunhofer FKIE, Dept. Communication Systems (KOM) | Tel: +49-228-9435-845
Fraunhoferstr. 20, 53343 Wachtberg, Germany        | Fax: +49-228-856277