IIPtran
Click on the red underlined text to get to the source
... IP addresses.
This document proposes a solution called IIPtran that separates the
step of IP tunnel encapsulation ...
... both simpler and has a modular specification.
Later sections of this document compare IIPtran to other proposals
for dynamic routing inside VPNs ...
... can be compatible with dynamically routed VPNs (see Section 4)
depending on how it is implemented; however, IIPtran (see Section 3)
has the additional benefit of greatly simplifying the IPsec
architecture and related specifications, and of being compatible with
...
...
This section introduces a solution - called IIPtran - for the two
issues identified above. IIPtran replaces IPsec tunnel mode ...
... This section introduces a solution - called IIPtran - for the two
issues identified above. IIPtran replaces IPsec tunnel mode with a
combination of IPIP tunnel ...
... IPsec tunnel mode (host-to-host communication for
the former, and all transit communication for the latter). IIPtran
appears to violate this requirement, because it uses IPsec transport
mode ...
... and show it combines with IPsec transport mode processing. This
section will then discuss how IIPtran addresses each of the problems
identified above.
...
... IIPtran Details ...
... IPIP Tunnel
IIPtran performs this IPIP processing as a first step, followed by
IPsec transport mode processing on the resulting IPIP packet (Figure
...
...
A detailed discussion of the differences between IIPtran, IPsec
tunnel mode, and other proposed mechanisms follows in Section 4. The
remainder of this section will describe how IIPtran ...
... IIPtran, IPsec
tunnel mode, and other proposed mechanisms follows in Section 4. The
remainder of this section will describe how IIPtran combines IPIP
tunnel devices with IPsec transport mode to solve the problems
...
... breaks, because tunnel mode SAs are not required to be network
interfaces. IIPtran uses RFC 2003prop IPIP tunnels [2 ...
... the two IP headers that are a result of IPIP encapsulation. IIPtran
provides further details on this configuration, and demonstrates how
it enables dynamic routing ...
... IPsec processing from routing and
forwarding. IIPtran's use of IPsec is limited to securing the links
...
... Although some of the alternatives also address the issues identified
above, IIPtran alone also significantly simplifies and modularizes
the IPsec architecture.
...
...
This section compares the three different alternatives and IIPtran
according to a number of evaluation criteria, such as support for VN
...
...
This section investigates whether the three alternatives and IIPtran
support VN routing, especially dynamic routing ...
... IPsec.
IIPtran already recognizes this property. Consequently, it uses IPIP
tunnels directly, and combines them with transport mode processing ...
... On receiving a packet, both IPsec tunnel mode and IIPtran decrypt
and/or authenticate the packet with the same techniques. IPsec
tunnel mode ...
... against the respective IPsec tunnel mode SA. IIPtran uses IPsec
transport mode to decrypt and verify the incoming packet, then passes
...
... 2003prop IPIP processing [2]. At
that point, IIPtran can support selector checks on both the header
and its payload ...
... IPsec accepts them during the policy check during decapsulation, they
are accepted. IIPtran requires additional processing on the
decapsulated packets, to validate ...
... context at any time during inbound
processing. IIPtran accepts incoming VN packets only if they have
arrived over a specific IPIP tunnel ...
...
Note that IPsec tunnel mode and IIPtran are interoperable [3].
Experiments have verified this interoperability ...
... transport") IP
header. Thus, IPsec selectors under IIPtran can express the same set
of policies as conventional IPsec tunnel mode.
...
... IPsec selectors appear much less useful in a VPN scenario than
expected. A consequence might be that IIPtran - even without
extensions to support the full expressiveness of tunnel mode SA
...
... SAs can apply to different applications,
resulting in different apparent virtual topologies. IIPtran supports
policy routing in a more modular way, by having existing policy
...
... routing implementations forward traffic over multiple, parallel VNs.
IIPtran supports arbitrary IP-based policy routing schemes, while
...
...
One possible approach to use IKE with IIPtran is to negotiate a
tunnel mode SA, and then treat it as a transport mode ...
... interoperability.
However, since IIPtran eliminates IPsec tunnel mode, it could also
simplify IKE ...
... Current IKE operation would become a modular composition of separate
protocols, similar to how IIPtran modularizes IPsec by combining
existing Internet standards ...
... tunnel mode can fail to support dynamic VN routing (depending
on the implementation), and compares IIPtran with several different
alternatives. It finds that IIPtran, a composite ...
... on the implementation), and compares IIPtran with several different
alternatives. It finds that IIPtran, a composite of a subset of
IPsec ...