From owner-freebsd-net@FreeBSD.ORG Wed Dec 28 19:12:42 2005 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C373716A41F for ; Wed, 28 Dec 2005 19:12:42 +0000 (GMT) (envelope-from b.candler@pobox.com) Received: from thorn.pobox.com (thorn.pobox.com [208.210.124.75]) by mx1.FreeBSD.org (Postfix) with ESMTP id 601CA43D49 for ; Wed, 28 Dec 2005 19:12:42 +0000 (GMT) (envelope-from b.candler@pobox.com) Received: from thorn (localhost [127.0.0.1]) by thorn.pobox.com (Postfix) with ESMTP id C6CFAB4; Wed, 28 Dec 2005 14:13:03 -0500 (EST) Received: from mappit.local.linnet.org (212-74-113-67.static.dsl.as9105.com [212.74.113.67]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by thorn.sasl.smtp.pobox.com (Postfix) with ESMTP id 7FB7939C1; Wed, 28 Dec 2005 14:13:01 -0500 (EST) Received: from brian by mappit.local.linnet.org with local (Exim 4.60 (FreeBSD)) (envelope-from ) id 1Ergj0-00021i-6m; Wed, 28 Dec 2005 19:12:38 +0000 Date: Wed, 28 Dec 2005 19:12:38 +0000 From: Brian Candler To: VANHULLEBUS Yvan Message-ID: <20051228191238.GC7695@uk.tiscali.com> References: <20051228143817.GA6898@uk.tiscali.com> <001401c60bc0$a3c87e90$1200a8c0@gsicomp.on.ca> <20051228153106.GA7041@uk.tiscali.com> <20051228164339.GB3875@zen.inc> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20051228164339.GB3875@zen.inc> User-Agent: Mutt/1.4.2.1i Cc: freebsd-net@freebsd.org Subject: Re: IPSEC documentation X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 Dec 2005 19:12:42 -0000 On Wed, Dec 28, 2005 at 05:43:39PM +0100, VANHULLEBUS Yvan wrote: > > Also excellent would be "bump in the wire" bridging, where the gateway > > negotiates transport-mode security on behalf of clients without their being > > aware of it, but as far as I know only OpenBSD supports that. > > What is the benefit of transport mode for that, instead of just using > an IPSec tunnel between the gates ??? "Opportunistic" encryption and gradual deployment. http://www.thought.net/jason/bridgepaper/node9.html (an interesting paper, read through to at least "Transparent Policy Enforcement") One use would be if you decided to roll out transport mode IPSEC across your network; you could put all the legacy hosts behind such a gateway as a transition measure until you had managed to upgrade them. Regards, Brian.