RFC 3884:Use of IPsec Transport Mode for Dynamic R...
RFC-Ref

1. Introduction


   The IP security architecture (IPsec) consists of two modes, transport
   mode and tunnel mode [1].  Transport mode is allowed between two end
   hosts only; tunnel mode is required when at least one of the
   endpoints is a "security gateway" (intermediate system that
   implements IPsec functionality, e.g., a router.)

   IPsec can be used to secure the links of a virtual network (VN),
   creating a secure VN.  In a secure VN, trusted routers inside the
   network dynamically forward packets in the clear (internally), and
   exchange the packets on secure tunnels, where paths may traverse
   multiple tunnels.  Contrast this to the conventional 'virtual private
   network' (VPN), which often assumes that paths tend to traverse one
   secure tunnel to resources in a secure core.  A general secure VN
   allows this secure core to be distributed, composed of trusted or
   privately-managed resources anywhere in the network.

   This document addresses the use of IPsec to secure the links of a
   multihop, distributed VN.  It describes how virtual links established
   by IPsec tunnel mode can conflict with routing and forwarding inside
   the VN, due to the IP routing dependence on references to interfaces
   and next-hop IP addresses.

   This document proposes a solution called IIPtran that separates the
   step of IP tunnel encapsulation from IPsec processing.  The solution
   combines a subset of the current IPsec architecture with other
   Internet standards to arrive at an interoperable equivalent that is
   both simpler and has a modular specification.

   Later sections of this document compare IIPtran to other proposals
   for dynamic routing inside VPNs, focusing on the impact the different
   proposals have on the overall IPsec architecture, routing protocols,
   security policy enforcement, and the Internet Key Exchange (IKE)
   [9][10].  An appendix addresses IP tunnel processing issues in IPsec
   related to IPIP encapsulation and decapsulation.

   This document assumes familiarity with other Internet standards
   [1][2], notably with terminology and numerous acronyms therein.

1.1. Document History


   This document was first issued as an Internet Draft on March 10,
   2000, entitled "Use of IPSEC Transport Mode for Virtual Networks,"
   and was first presented in the IPsec WG at the 47th IETF in Adelaide
   in March 2000.  It was subsequently revised and presented to the
   PPVPN WG at the 51st IETF in London in August 2001, to the IPsec WG
   at the 52nd IETF in Salt Lake City in December 2001, and to both the

   IPsec and PPVPN WGs at the 53rd IETF in Minneapolis in March 2002.
   Version 04 of this draft was submitted for publication as an
   Informational RFC based on suggestions by the IPsec WG in June 2002,
   and was under IESG review from then until version 07 was approved for
   publication in June 2004.  During that time, it was substantively
   revised according to feedback from the IESG regarding interactions
   with the IPsec specification (RFC 2401(-> 4301prop) [1]) and other protocols, with
   regard to security and compatibility issues.

Google
Web
RFC-Ref
RFC-Ref.org
Frontpage
Global Index
RFC
Sister Sites
Chess-Ref.org
Law-Ref.org
InChI.info
Zvon.org