IPsec Architecture
Click on the red underlined text to get to the source
... encapsulation from IPsec processing. The solution
combines a subset of the current IPsec architecture with other
Internet standards to arrive at an interoperable equivalent that is
...
... routing inside VPNs, focusing on the impact the different
proposals have on the overall IPsec architecture, routing protocols,
security policy ...
... IPsec tunnel mode
virtual links, as required by the IPsec architecture when the
communicating peers are gateway pairs, or a host ...
... gateway for a transit packet based on its destination IP address and
the contents of the forwarding table. However, the IPsec
architecture does not define if and how tunnel mode SAs are
represented in the forwarding table.
...
... treats a tunnel mode SA as a virtual interface. The current IPsec
architecture does not mandate one or the other.
Under the first approach, the presence of IPsec tunnel mode ...
... depending on how it is implemented; however, IIPtran (see Section 3)
has the additional benefit of greatly simplifying the IPsec
architecture and related specifications, and of being compatible with
all IPsec specification compliant implementations.
...
... links, and proposed a solution. This section introduces
a number of proposed alternatives, and compares their effect on the
IPsec architecture, routing, and policy enforcement, among others, to
IIPtran ...
... above, IIPtran alone also significantly simplifies and modularizes
the IPsec architecture.
...
... routing and existing source address
selection rules, but requires extensions to the IPsec architecture
that define tunnel mode SA interfaces ...
... according to a number of evaluation criteria, such as support for VN
forwarding, or impact on the IPsec architecture.
...
... VN routing.
However, because the current IPsec architecture does not require
tunnel mode SAs to behave similarly to interfaces ...
... implementers
chose alternative 1, but it is not mandated by the specification),
alternative 1 requires extensions to the current IPsec architecture
that define the exact behavior of tunnel mode SAs. The proposed
...
... Impact on the IPsec Architecture ...
... IPsec thus
becomes unnecessary and can potentially be removed from the IPsec
architecture, greatly simplifying the specification.
Alternative 1 requires SAs ...
... SA interfaces. The
IPsec architecture thus needs extensions that define the operation of
interfaces and their interactions with the forwarding table and
...
... IPsec policy.
As noted in Section 5.2 of the IPsec architecture document [1], IPsec
processing should retain information about what SAs ...