RFC 3884:Use of IPsec Transport Mode for Dynamic R...
RFC-Ref

A - B - C - D - E - F - G - H - I - K - L - M - N - O - P - R - S - T - U - V - W

header

Click on the red underlined text to get to the source

2. Problem Description
... 1]. Transport mode secures portions of the existing IP header and the payload data of the packet, and inserts an IPsec header ...
... IP header and the payload data of the packet, and inserts an IPsec header between the IP header and the payload ...
... payload data of the packet, and inserts an IPsec header between the IP header and the payload; tunnel mode adds an additional IP header ...
... IP header and the payload; tunnel mode adds an additional IP header before performing similar operations. This section gives a short overview of the relevant processing steps for both modes. ...
... transport mode, IPsec inserts a security protocol header into outgoing IP packets between the original IP header ...
... header into outgoing IP packets between the original IP header and the packet payload (Figure 1) [5 ...
... 6][11][12]. The contents of the IPsec header are based on the result of a "security association" (SA ...
... SA) lookup that uses the contents of the original packet header (Figure 1, arrow) as well as its payload (especially transport layer ...
... well as its payload (especially transport layer headers) to locate an SA in the security association database ...
... IPsec Transport Mode) +-----------+---------+ +-----------+==============+---------+ | IP Header | Payload | | IP Header | IPsec Header ...
... | IP Header | Payload | | IP Header | IPsec Header | Payload | ...
... IP Header | Payload | | IP Header | IPsec Header | Payload | +-----------+---------+ +-----------+==============+---------+ ...
... SA lookup occurs based on the IP and IPsec headers, followed by a verification step after IPsec processing ...
... When using tunnel mode, IPsec prepends an IPsec header and an additional IP header to the outgoing IP packet ...
... IPsec prepends an IPsec header and an additional IP header to the outgoing IP packet (Figure 2). In essence, the original packet becomes the payload ...
... In IPsec tunnel mode, the IP header of the original outbound packet together with its payload (especially transport ...
... together with its payload (especially transport headers) determines the IPsec SA ...
... destination IP addresses for the outer tunnel IP header, which is also based on the original outbound packet header and its payload ...
... tunnel IP header, which is also based on the original outbound packet header and its payload (Figure 2, arrows). ...
... +==================+==============+-----------------+---------+ | Tunnel IP Header | IPsec Header | Orig. IP Header | Payload ...
... | Tunnel IP Header | IPsec Header | Orig. IP Header | Payload | ...
... Tunnel IP Header | IPsec Header | Orig. IP Header | Payload | +==================+==============+-----------------+---------+ ...
... IPsec, an SA lookup occurs based on the contents of the IPsec header and the outer IP header. Next, the packet is decrypted or authenticated based on its ...
... SA lookup occurs based on the contents of the IPsec header and the outer IP header. Next, the packet is decrypted or authenticated based on its IPsec header ...
... IP header. Next, the packet is decrypted or authenticated based on its IPsec header and the SA, followed by a verification step that checks ...
... the contents of the original packet and its payload (especially the inner IP header and transport headers) against the respective SA ...
... inner IP header and transport headers) against the respective SA. ...
... next hop IP address the packet should be forwarded to (additional header fields and inner headers can be used, e.g., in policy routing ...
... packet should be forwarded to (additional header fields and inner headers can be used, e.g., in policy routing.) ...


3. IIPtran: IPIP Tunnel Devices + IPsec Transport Mode
... tunnels an existing IP packet by prepending it with another IP header (Figure 4.) ...
... +==================+-----------------+---------+ | Tunnel IP Header | Orig. IP Header | Payload | ...
... | Tunnel IP Header | Orig. IP Header | Payload | +==================+-----------------+---------+ ...
... +==================+==============+-----------------+---------+ | Tunnel IP Header | IPsec Header | Orig. IP Header | Payload ...
... | Tunnel IP Header | IPsec Header | Orig. IP Header | Payload | ...
... Tunnel IP Header | IPsec Header | Orig. IP Header | Payload | +==================+==============+-----------------+---------+ ...
... A key difference between Figure 2 and Figure 5 is that in the proposed solution, the IPsec header is based on the outer IP header, whereas under IPsec tunnel mode ...
... A key difference between Figure 2 and Figure 5 is that in the proposed solution, the IPsec header is based on the outer IP header, whereas under IPsec tunnel mode processing, the IPsec header ...
... IP header, whereas under IPsec tunnel mode processing, the IPsec header depends on the contents of the inner IP header and payload ...
... IPsec tunnel mode processing, the IPsec header depends on the contents of the inner IP header and payload (see Section 2.1). ...
... RFC 2003prop [2] addressed the issue of inserting an IPsec header between the two IP headers that are a result of IPIP encapsulation ...
... 2] addressed the issue of inserting an IPsec header between the two IP headers that are a result of IPIP encapsulation. IIPtran ...


4. Comparison
... would not result in IP encapsulation (the encapsulation header is part of the tunnel mode SA, a transport mode ...
... 2]. At that point, IIPtran can support selector checks on both the header and its payload using firewall ...
... SA for a given packet, IPsec allows selectors to match on the contents of the IP header and transport headers. ...
... match on the contents of the IP header and transport headers. IIPtran using existing IPsec ...
... IIPtran using existing IPsec cannot support transport header matches, because SA lookup occurs before decapsulation ...
... 2401(-> 4301prop) [1] explicitly recognizes that the transport layer header may be nested several headers deep inside the packet, and allows a ...
... transport layer header may be nested several headers deep inside the packet, and allows a system to (quote) "chain through the packet headers checking the ...
... may be nested several headers deep inside the packet, and allows a system to (quote) "chain through the packet headers checking the 'Protocol' or 'Next Header' field until it encounters either one it ...
... system to (quote) "chain through the packet headers checking the 'Protocol' or 'Next Header' field until it encounters either one it recognizes as a transport protocol, or until it reaches one that ...
... recognizes as a transport protocol, or until it reaches one that isn't on its list of extension headers, or until it encounters an ESP header that renders the transport protocol opaque ...
... transport protocol, or until it reaches one that isn't on its list of extension headers, or until it encounters an ESP header that renders the transport protocol opaque." ...
... SA lookup starts on the outer (tunnel) header, and selectors including port number information must thus traverse the ...
... selectors including port number information must thus traverse the inner IP header (and possibly other headers) before they can match on the transport ...
... port number information must thus traverse the inner IP header (and possibly other headers) before they can match on the transport headers ...
... headers) before they can match on the transport headers. IIPtran thus requires that IP be a known ...
... IP be a known IPsec "extension header." This recognizes that with IPIP encapsulation, IP VNs use the base IP network ...
... over IP also allows selectors to match on the contents of the inner ("transport") IP header. Thus, IPsec selectors under IIPtran can express the same set ...
... Note that in both cases, these policy enforcement rules violate layering by looking at information other than the outermost header. This is consistent with IPsec's current use of port ...
... One purpose of selectors matching on transport header content is policy routing. Different SAs ...


8. References
... Kent, S. and R. Atkinson, "IP Authentication Header", RFC 2402(-> 4305(-> 4835prop) | 4302prop), November 1998. ...
... Kent, S., "IP Authentication Header", Work in Progress, February 2004. ...


9. Appendix A. Encapsulation/Decapsulation Issues
... encapsulated as payload inside another IP packet, some of the outer header fields can be newly written (and the inner header determines some others [2 ...
... IP packet, some of the outer header fields can be newly written (and the inner header determines some others [2].) Among these fields is the IP ...
... clear, the outer packet may copy it or set it; however, when the inner DF flag is set, the outer header must copy it [2]. IPsec ...
... provide a covert channel between the inner packet header and outer packet header. However, RFC 2003prop ...
... inner packet header and outer packet header. However, RFC 2003prop [2] requires that the outer fields ...
... 2]. Similar rules are being developed for TOS and other similar IP header fields, to be included in an update of RFC 2003prop ...
... channel is always to set the DF flag in the outer header (whether or not it is set in the inner header). Setting the DF ...
... DF flag in the outer header (whether or not it is set in the inner header). Setting the DF flag allows PMTU discovery to operate ...
... encapsulated packet. In both cases, the protocol field of the outer header is IPsec (AH or ESP ...
... AH or ESP), and the "next header" field for the inner data is 4 (IP). IPsec requires the ...

A - B - C - D - E - F - G - H - I - K - L - M - N - O - P - R - S - T - U - V - W

Google
Web
RFC-Ref
RFC-Ref.org
Frontpage
Global Index
RFC
Sister Sites
Chess-Ref.org
Law-Ref.org
InChI.info
Zvon.org