IPsec
Click on the red underlined text to get to the source
...
The IP security architecture (IPsec) consists of two modes, transport
mode and tunnel mode [1 ...
... endpoints is a "security gateway" (intermediate system that
implements IPsec functionality, e.g., a router.)
...
... VN. It describes how virtual links established
by IPsec tunnel mode can conflict with routing and forwarding inside
the VN ...
... step of IP tunnel encapsulation from IPsec processing. The solution
combines a subset of the current IPsec architecture with other
...
... encapsulation from IPsec processing. The solution
combines a subset of the current IPsec architecture with other
Internet standards to arrive at an interoperable equivalent that is
...
... routing inside VPNs, focusing on the impact the different
proposals have on the overall IPsec architecture, routing protocols,
security policy ...
... 10]. An appendix addresses IP tunnel processing issues in IPsec
related to IPIP encapsulation and decapsulation ...
... This document was first issued as an Internet Draft on March 10,
2000, entitled "Use of IPSEC Transport Mode for Virtual Networks,"
...
... Transport Mode for Virtual Networks,"
and was first presented in the IPsec WG at the 47th IETF in Adelaide
...
... IETF in Salt Lake City in December 2001, and to both the
IPsec and PPVPN WGs at the 53rd IETF ...
... Version 04 of this draft was submitted for publication as an
Informational RFC based on suggestions by the IPsec WG in June 2002,
and was under IESG ...
... revised according to feedback from the IESG regarding interactions
with the IPsec specification (RFC 2401(-> 4301prop) [1]) and other protocols, with
...
... topology of an IPsec VPN commonly consists of IPsec tunnel mode
virtual links, as required by the IPsec architecture ...
... IPsec tunnel mode
virtual links, as required by the IPsec architecture when the
communicating peers are gateway pairs, or a host ...
... gateway [1].
However, this current required use of IPsec tunnel mode can be
incompatible with dynamic routing ...
... 3].
The next section provides a short overview on IPsec transport and
tunnel mode processing, as far as it is relevant for the
...
... IPsec Overview ...
... IP header and the
payload data of the packet, and inserts an IPsec header between the
IP header and the payload ...
... 6][11][12]. The contents of the IPsec header
are based on the result of a "security association" (SA ...
... SAD).
Original Outbound Packet Outbound Packet (IPsec Transport Mode)
+-----------+---------+ +-----------+==============+---------+
| IP Header ...
... IP Header | Payload | | IP Header | IPsec Header | Payload |
+-----------+---------+ +-----------+==============+---------+
...
...
When receiving packets secured with IPsec transport mode, a similar
SA lookup occurs based on the IP ...
... headers, followed by a
verification step after IPsec processing that checks the contents of
the packet and its payload against the respective SA ...
... When using tunnel mode, IPsec prepends an IPsec header and an
additional IP header to the outgoing IP packet ...
... essence, the original packet becomes the payload of another IP
packet, which IPsec then secures. This has been described [1] as "a
tunnel mode SA ...
... as described in the remainder of this section.
In IPsec tunnel mode, the IP header of the original outbound packet
together with its payload ...
... transport headers) determines
the IPsec SA, as for transport mode. However, a tunnel mode SA ...
... (Figure 2, arrows).
Outbound Packet (IPsec Tunnel Mode)
+==================+==============+-----------------+---------+
| Tunnel ...
... IP Encapsulation
Figure 2: Outbound Packet Construction under IPsec Tunnel Mode
When receiving ...
... When receiving packets secured with tunnel mode IPsec, an SA lookup
occurs based on the contents of the IPsec header ...
... IPsec, an SA lookup
occurs based on the contents of the IPsec header and the outer IP
header. Next, the packet is decrypted or authenticated based on its
...
... IP
header. Next, the packet is decrypted or authenticated based on its
IPsec header and the SA, followed by a verification step that checks
...
... VPN topology with virtual links established by IPsec
tunnel mode SAs, as would be required for compliance with [1]. Such
...
... Two problems arise; one is forwarding of VN traffic over IPsec tunnel
mode links, the other is source address selection on VN ...
... gateway for a transit packet based on its destination IP address and
the contents of the forwarding table. However, the IPsec
architecture does not define if and how tunnel mode SAs are
represented in the forwarding table.
...
... treats a tunnel mode SA as a virtual interface. The current IPsec
architecture does not mandate one or the other.
Under the first approach, the presence of IPsec tunnel mode ...
... IPsec
architecture does not mandate one or the other.
Under the first approach, the presence of IPsec tunnel mode SAs is
invisible to the IP forwarding ...
... depending on how it is implemented; however, IIPtran (see Section 3)
has the additional benefit of greatly simplifying the IPsec
architecture and related specifications, and of being compatible with
all IPsec specification compliant implementations.
...
... has the additional benefit of greatly simplifying the IPsec
architecture and related specifications, and of being compatible with
all IPsec specification compliant implementations.
...
... network and the VN (more if it
connects to at least two VNs.) The IPsec specification currently does
not define how tunnel mode SAs integrate with source address ...
... may even lead to compromised security. Consider two cases, one with
IPsec tunnels configured with no wildcard tunnel ...
... IIPtran - for the two
issues identified above. IIPtran replaces IPsec tunnel mode with a
combination of IPIP tunnel interfaces ...
... source address selection (as per RFC 2003prop [2]), followed by IPsec
transport mode on the encapsulated packet.
...
... The IPsec architecture [1] defines the appropriate use of IPsec
transport mode and IPsec tunnel mode ...
... use of IPsec
transport mode and IPsec tunnel mode (host-to-host communication for
the former, and all transit communication for the latter). IIPtran ...
... IIPtran
appears to violate this requirement, because it uses IPsec transport
mode for transit communication.
However, for an IPIP tunnel ...
... act as hosts in the base network. Thus, IPsec transport mode is also
appropriate, if not required, for encapsulated traffic ...
... 1].
As a result, replacing IPsec tunnel mode with IPIP tunnel devices and
IPsec transport mode ...
... IPsec tunnel mode with IPIP tunnel devices and
IPsec transport mode is consistent with the existing architecture.
Furthermore, this does not compromise the end-to-end ...
... architecture.
Furthermore, this does not compromise the end-to-end use of IPsec,
either inside a VPN or in the base network ...
... either inside a VPN or in the base network; it only adds IPsec
protection to secure virtual links.
...
... The next sections will give a short overview of IPIP encapsulation,
and show it combines with IPsec transport mode processing. This
section will then discuss how IIPtran addresses ...
... IIPtran performs this IPIP processing as a first step, followed by
IPsec transport mode processing on the resulting IPIP packet (Figure
5.)
...
...
Outbound Packet (IPIP Tunnel + IPsec Transport Mode)
+==================+==============+-----------------+---------+
| Tunnel ...
...
Figure 5: Outbound Packet Construction for IPIP Tunnel with IPsec
Transport Mode
A key difference between Figure 2 and Figure 5 is that in the
...
...
A key difference between Figure 2 and Figure 5 is that in the
proposed solution, the IPsec header is based on the outer IP header,
whereas under IPsec tunnel mode ...
... IPsec header is based on the outer IP header,
whereas under IPsec tunnel mode processing, the IPsec header depends
on the contents of the inner IP header ...
... IP header,
whereas under IPsec tunnel mode processing, the IPsec header depends
on the contents of the inner IP header and payload ...
... VPN packet (Figure 5) on the wire cannot be
distinguished from a VPN packet generated by IPsec tunnel mode
processing (Figure 2); and the two methods inter-operate, given
...
... A detailed discussion of the differences between IIPtran, IPsec
tunnel mode, and other proposed mechanisms follows in Section 4. The
remainder of this section will describe how IIPtran combines IPIP
tunnel devices ...
... remainder of this section will describe how IIPtran combines IPIP
tunnel devices with IPsec transport mode to solve the problems
identified in Section 2.
...
...
Section 2.3 described how IP forwarding over IPsec tunnel mode SAs
breaks, because tunnel mode SAs ...
... RFC 2003prop [2] addressed the issue of inserting an IPsec header between
the two IP headers that are a result of IPIP encapsulation ...
... routing. The proposed solution of using IPIP tunnel with IPsec
transport mode decouples IPsec processing from routing and
...
... routing. The proposed solution of using IPIP tunnel with IPsec
transport mode decouples IPsec processing from routing and
forwarding. IIPtran ...
... of the VN (creating a VPN), because IPsec (rightly) lacks internal
support for routing and forwarding.
...
... 2] for VN links, instead of IPsec
tunnel mode SAs, allows existing multihoming solutions for source
address ...
... links, and proposed a solution. This section introduces
a number of proposed alternatives, and compares their effect on the
IPsec architecture, routing, and policy enforcement, among others, to
IIPtran ...
... proposals that aim at establishing support for dynamic routing for
IPsec-secured VNs. The following section then compares these
proposals in detail.
...
... above, IIPtran alone also significantly simplifies and modularizes
the IPsec architecture.
...
...
In the first alternative, each IPsec tunnel mode SA is required to
act as a full-fledged network interface ...
... interface of the virtual destination's forwarding table
entry. IPsec dynamically updates the SA interface configuration in
...
... routing and existing source address
selection rules, but requires extensions to the IPsec architecture
that define tunnel mode SA interfaces ...
... tunnels
with interfaces, inside IPsec. This defeats the modular architecture
of the Internet ...
... 2]).
This solution also requires augmenting the IPsec specification to
mandate an implementation detail, one that may be difficult to
resolve with other IPsec ...
... IPsec specification to
mandate an implementation detail, one that may be difficult to
resolve with other IPsec designs, notably the BITS (bump-in-the-
stack) alternative. Although the current IPsec ...
... IPsec designs, notably the BITS (bump-in-the-
stack) alternative. Although the current IPsec specification is
ambiguous and allows this implementation, an implementation-
independent design is preferable.
...
... A second alternative is the addition of an extra forwarding lookup
before IPsec tunnel mode processing. This forwarding lookup will
return a "virtual interface ...
... Alternative 3: IPsec with Integrated Forwarding ...
... routing tables and SADs
to make forwarding decision. To prevent IPsec processing from
interfering with routing, forwarding table lookup ...
... according to a number of evaluation criteria, such as support for VN
forwarding, or impact on the IPsec architecture.
...
... VN routing.
However, because the current IPsec architecture does not require
tunnel mode SAs to behave similarly to interfaces ...
... implementers
chose alternative 1, but it is not mandated by the specification),
alternative 1 requires extensions to the current IPsec architecture
that define the exact behavior of tunnel mode SAs. The proposed
...
... that define the exact behavior of tunnel mode SAs. The proposed
solution does not require any such changes to IPsec, and for tunnels
RFC 2003prop ...
... nodes to interface to the internals of IPsec; this would require
revising a large number of current Internet standards. It is also
...
... VN routing. The additional
forwarding lookup before IPsec processing is irrelevant, because
IPsec tunnel mode SAs ...
... lookup before IPsec processing is irrelevant, because
IPsec tunnel mode SAs are not represented as interfaces, and thus
...
... Impact on the IPsec Architecture ...
... VN links. Tunnel mode IPsec thus
becomes unnecessary and can potentially be removed from the IPsec
architecture ...
... IPsec thus
becomes unnecessary and can potentially be removed from the IPsec
architecture, greatly simplifying the specification.
Alternative 1 requires SAs ...
... SA interfaces. The
IPsec architecture thus needs extensions that define the operation of
interfaces and their interactions with the forwarding table and
...
... per-interface SADs as a
component of IPsec. When tunnel mode SAs themselves act as
interfaces ...
... Second, only the SAD of physical interfaces may contain IPsec
transport mode SAs; otherwise, the current issues with VN routing
...
... IIPtran decrypt
and/or authenticate the packet with the same techniques. IPsec
tunnel mode decapsulates and decrypts the packet in a single step,
followed by a policy check of the inner packet ...
... inner packet and its payload
against the respective IPsec tunnel mode SA. IIPtran uses IPsec
transport mode ...
... IPsec tunnel mode SA. IIPtran uses IPsec
transport mode to decrypt and verify the incoming packet, then passes
the decrypted IPIP packet on to RFC 2003prop ...
... and its payload using firewall mechanisms, similar to IPsec tunnel
mode processing.
The primary difference between the two is that IPsec tunnel mode ...
... IPsec tunnel
mode processing.
The primary difference between the two is that IPsec tunnel mode does
not require a separate processing step for validating packets; once
IPsec ...
... IPsec tunnel mode does
not require a separate processing step for validating packets; once
IPsec accepts them during the policy check during decapsulation, they
are accepted. IIPtran ...
... decapsulated packets, to validate whether they conform to their
respective IPsec policy.
As noted in Section 5.2 of the IPsec architecture ...
... IPsec policy.
As noted in Section 5.2 of the IPsec architecture document [1], IPsec
processing should retain information about what SAs ...
... As noted in Section 5.2 of the IPsec architecture document [1], IPsec
processing should retain information about what SAs matched a given
packet, for subsequent IPsec ...
... IPsec
processing should retain information about what SAs matched a given
packet, for subsequent IPsec or firewall processing. To allow for
complex accept policies, it should be possible to reconstruct the
...
... VN packets only if they have
arrived over a specific IPIP tunnel that was secured with IPsec
transport mode, but as a separate step following IPIP decapsulation.
...
...
When looking up an SA for a given packet, IPsec allows selectors to
match on the contents of the IP header and transport ...
... SA lookup occurs before decapsulation. A small extension to
IPsec can address this issue in a modular way.
...
... IIPtran thus requires that IP be a known
IPsec "extension header." This recognizes that with IPIP
encapsulation, IP ...
... IP network as a link layer.
Although this small extension to IPsec is not explicitly required, it
is already implied.
...
... selectors to match on the contents of the inner ("transport") IP
header. Thus, IPsec selectors under IIPtran can express the same set
of policies as conventional IPsec tunnel mode ...
... IPsec selectors under IIPtran can express the same set
of policies as conventional IPsec tunnel mode.
Note that in both cases, these policy enforcement rules violate
...
... layering by looking at information other than the outermost header.
This is consistent with IPsec's current use of port-based selectors.
The next section discusses that selectors may not be useful for
...
... routing.
In this example, A has IPsec tunnel mode SAs to B and C. If the
selectors for the virtual source and destination IP addresses ...
... Topology of a Virtual Network
Thus, IPsec selectors appear much less useful in a VPN scenario than
expected. A consequence might be that IIPtran ...
... IP-based policy routing schemes, while
policies are limited by the expressiveness of IPsec's selectors in
the former case.
...
... 9][10] is a protocol to negotiate
IPsec keys between end systems dynamically and securely. It is not a
strictly required component of IPsec in the sense that two hosts ...
... IPsec keys between end systems dynamically and securely. It is not a
strictly required component of IPsec in the sense that two hosts can
communicate using IPsec ...
... IPsec in the sense that two hosts can
communicate using IPsec without having used IKE to negotiate keys
(through manually keyed SAs ...
... also acts as a tunnel management protocol (when IPsec tunnel mode SAs
are configured), and negotiates security policies ...
...
However, since IIPtran eliminates IPsec tunnel mode, it could also
simplify IKE, by limiting it to its original purpose of key exchange ...
... IKE operation would become a modular composition of separate
protocols, similar to how IIPtran modularizes IPsec by combining
existing Internet standards. For example, a VPN ...
... addresses security considerations throughout, as they
are a primary concern of proposed uses of IPsec.
The primary purpose of this document is to extend the use of IPsec ...
... IPsec.
The primary purpose of this document is to extend the use of IPsec to
dynamically routed VPNs, which will extend the use of IPsec ...
... use of IPsec to
dynamically routed VPNs, which will extend the use of IPsec and, it
is hoped, increase the security of VPN ...
...
This document presents a mechanism consistent with the current use of
IPsec which supports dynamic routing inside a virtual network that
...
... routing inside a virtual network that
uses IPsec to secure its links. It illustrates how current use of
IPsec tunnel mode ...
... uses IPsec to secure its links. It illustrates how current use of
IPsec tunnel mode can fail to support dynamic VN routing (depending
...
... IIPtran, a composite of a subset of
IPsec (i.e., transport mode) together with existing standard IPIP
encapsulation, results in an interoperable, standards-conforming
...
... our attention, as well as implementing the mechanisms in this
document in the KAME IPv6/IPsec network stack. Members of several
IETF WGs ...
... network stack. Members of several
IETF WGs (especially IPsec: Stephen Kent, PPVPN: Eric Vyncke, Paul
Knight, various members of MobileIP) provided valuable input on the
...
... PPVPN: Eric Vyncke, Paul
Knight, various members of MobileIP) provided valuable input on the
details of IPsec processing in earlier revisions of this document.
Effort sponsored by the Defense ...
... There are inconsistencies between the IPIP encapsulation rules
specified by IPsec [1] and those specified by MobileIP [2]. The
...
... 2003prop according to IANA [2]. The use of IPIP inside an IPsec
transport packet can be confused with IPsec tunnel mode, because
IPsec ...
... IANA [2]. The use of IPIP inside an IPsec
transport packet can be confused with IPsec tunnel mode, because
IPsec does not specify any limits on the types of IP packets ...
... IPsec
transport packet can be confused with IPsec tunnel mode, because
IPsec does not specify any limits on the types of IP packets that
transport mode ...
... DF flag is set, the outer header must copy it [2]. IPsec
defines conflicting rules, where that flag and other similar fields
(TOS ...
... SA.
The IPsec specification indicates that such fields must be
controlled, to achieve security. Otherwise, such fields could
...
... security
weaknesses associated with solely copying the fields, it is
recommended that IPsec IPIP encapsulation not permit the clearing of
the outer DF ...
... the inner packet DF is set, it is proposed that IPsec drop that
packet, rather than violate RFC 2003prop processing rules ...
... IPIP tunnel encapsulation
combined with IPsec transport mode and an IPsec tunnel mode packet
look identical on the wire. Thus, when an IPsec ...
... encapsulation
combined with IPsec transport mode and an IPsec tunnel mode packet
look identical on the wire. Thus, when an IPsec'ed packet arrives
...
... IPsec transport mode and an IPsec tunnel mode packet
look identical on the wire. Thus, when an IPsec'ed packet arrives
that contains an IPIP inner packet, it is not possible to distinguish
...
... inner packet, it is not possible to distinguish
whether the packet was created using IPsec tunnel mode or IPsec
transport mode of an IPIP encapsulated packet ...
... created using IPsec tunnel mode or IPsec
transport mode of an IPIP encapsulated packet. In both cases, the
protocol field ...
... "next header" field for the inner data is 4 (IP). IPsec requires the
SA matching a received packet to indicate whether to apply tunnel
mode ...
... SAD before determining
whether to decapsulate IPsec packets with inner payload of protocol
type 4. If the SAD ...
... tunnel mode association applies,
IPsec must decapsulate the packet. If the SAD indicates that a
...
... transport mode association applies, IPsec must not decapsulate the
packet. This requires that the SAD ...
... 2003prop,
instead of specifying a non-standard conforming variant of IPIP
encapsulation inside IPsec.
...