From: David D. <dav...@fk...> - 2013-07-10 09:05:57
|
Am Mittwoch, den 10.07.2013, 09:35 +0200 schrieb Jaco Kroon: > Thinking about this, what is the difference between running IPSec > *tunnel* mode, compared to running an ip-in-ip tunnel (as set up by ip > tunnel add ??? mode ipip and then slapping on IPSec *transport* mode? Semantics (and IKE of course). Bitwise on the wire it is actually the same. > And wouldn't that end up copying the TOS bits as required by the op > without the additional GRE overhead? In principle, you're right. And the ipip solution is actually almost the same as the GRE solution, without the GRE header. OTOH the GRE solution has other advantages, too. Some of them are: * IPsec/GRE is pretty much a standard solution (e.g. can be configured on a Cisco in one line) * Multiple tunnels are possible * GRE does behave more like a "normal interface" * GRE can transport IPv4, IPv6, OSPF etc. in the same tunnel. And the additional overhead of four octets is relatively small when compared of what you need for IPsec anyway (depending on the parameters i.e. one IP header, one ESP header, a checksum and padding to full cypher block size). -- David Dahlberg Fraunhofer FKIE, Dept. Communication Systems (KOM) | Tel: +49-228-9435-845 Fraunhoferstr. 20, 53343 Wachtberg, Germany | Fax: +49-228-856277 |