Date: Wed, 28 Dec 2005 19:12:38 +0000 From: Brian Candler <B.Candler@pobox.com> To: VANHULLEBUS Yvan <vanhu_bsd@zeninc.net> Cc: freebsd-net@freebsd.org Subject: Re: IPSEC documentation Message-ID: <20051228191238.GC7695@uk.tiscali.com> In-Reply-To: <20051228164339.GB3875@zen.inc> References: <20051228143817.GA6898@uk.tiscali.com> <001401c60bc0$a3c87e90$1200a8c0@gsicomp.on.ca> <20051228153106.GA7041@uk.tiscali.com> <20051228164339.GB3875@zen.inc>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Dec 28, 2005 at 05:43:39PM +0100, VANHULLEBUS Yvan wrote: > > Also excellent would be "bump in the wire" bridging, where the gateway > > negotiates transport-mode security on behalf of clients without their being > > aware of it, but as far as I know only OpenBSD supports that. > > What is the benefit of transport mode for that, instead of just using > an IPSec tunnel between the gates ??? "Opportunistic" encryption and gradual deployment. http://www.thought.net/jason/bridgepaper/node9.html (an interesting paper, read through to at least "Transparent Policy Enforcement") One use would be if you decided to roll out transport mode IPSEC across your network; you could put all the legacy hosts behind such a gateway as a transition measure until you had managed to upgrade them. Regards, Brian.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20051228191238.GC7695>