Re: IPSec tunnel mode

From: David S. Miller (
Date: Tue Nov 19 2002 - 23:53:08 EST

   From: Taral <>
   Date: Tue, 19 Nov 2002 22:51:02 -0600

   The current IPSec implementation has a distinction in the security
   policy between transport and tunnel SAs. I think this is not the best
   way to do this. This distinction duplicates work already done by the
   ipip driver. We have a tunneling system already, we should use it.

The IPSEC RFCs require this state to be per SA. The key exchange
daemons also need to know this.

IPIP cannot do what is needed to happen here for tunnel based
SAs, it lacks the knowledge and shouldn't need to be concerned
with what happens there.
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to
More majordomo info at

This archive was generated by hypermail 2b29 : Sat Nov 23 2002 - 22:00:00 EST