A - B - C - D - E - F - G - H - I - K - L - M - N - O - P - R - S - T - U - V - W

IPsec tunnel mode

Click on the red underlined text to get to the source

... VN. It describes how virtual links established by IPsec tunnel mode can conflict with routing and forwarding inside the VN ...

2. Problem Description

... topology of an IPsec VPN commonly consists of IPsec tunnel mode virtual links, as required by the IPsec architecture ...

... as described in the remainder of this section. In IPsec tunnel mode, the IP header of the original outbound packet together with its payload ...

... (Figure 2, arrows). Outbound Packet (IPsec Tunnel Mode) +==================+==============+-----------------+---------+ | Tunnel ...

... IP Encapsulation Figure 2: Outbound Packet Construction under IPsec Tunnel Mode When receiving ...

... VPN topology with virtual links established by IPsec tunnel mode SAs, as would be required for compliance with [1]. Such ...

... Two problems arise; one is forwarding of VN traffic over IPsec tunnel mode links, the other is source address selection on VN ...

... IPsec architecture does not mandate one or the other. Under the first approach, the presence of IPsec tunnel mode SAs is invisible to the IP forwarding ...

... default gateway. Because IPsec tunnel mode SAs are not required to be interfaces, ...

3. IIPtran: IPIP Tunnel Devices + IPsec Transport Mode

... IIPtran - for the two issues identified above. IIPtran replaces IPsec tunnel mode with a combination of IPIP tunnel interfaces ...

... use of IPsec transport mode and IPsec tunnel mode (host-to-host communication for the former, and all transit communication for the latter). IIPtran ...

... 1]. As a result, replacing IPsec tunnel mode with IPIP tunnel devices and IPsec transport mode ...

... IPsec header is based on the outer IP header, whereas under IPsec tunnel mode processing, the IPsec header depends on the contents of the inner IP header ...

... VPN packet (Figure 5) on the wire cannot be distinguished from a VPN packet generated by IPsec tunnel mode processing (Figure 2); and the two methods inter-operate, given ...

... A detailed discussion of the differences between IIPtran, IPsec tunnel mode, and other proposed mechanisms follows in Section 4. The remainder of this section will describe how IIPtran combines IPIP tunnel devices ...

... Section 2.3 described how IP forwarding over IPsec tunnel mode SAs breaks, because tunnel mode SAs ...

... 2] for VN links, instead of IPsec tunnel mode SAs, allows existing multihoming solutions for source address ...

4. Comparison

... The previous sections described problems when IPsec tunnel mode provides VPN links ...

... In the first alternative, each IPsec tunnel mode SA is required to act as a full-fledged network interface ...

... A second alternative is the addition of an extra forwarding lookup before IPsec tunnel mode processing. This forwarding lookup will return a "virtual interface ...

... lookup before IPsec processing is irrelevant, because IPsec tunnel mode SAs are not represented as interfaces, and thus ...

... tunnel interface SAD must contain exactly one IPsec tunnel mode SA. Transport mode SAs ...

... On receiving a packet, both IPsec tunnel mode and IIPtran decrypt and/or authenticate ...

... IIPtran decrypt and/or authenticate the packet with the same techniques. IPsec tunnel mode decapsulates and decrypts the packet in a single step, followed by a policy check of the inner packet ...

... inner packet and its payload against the respective IPsec tunnel mode SA. IIPtran uses IPsec transport mode ...

... and its payload using firewall mechanisms, similar to IPsec tunnel mode processing. The primary difference between the two is that IPsec tunnel mode ...

... IPsec tunnel mode processing. The primary difference between the two is that IPsec tunnel mode does not require a separate processing step for validating packets; once IPsec ...

... decapsulation. Note that IPsec tunnel mode and IIPtran are interoperable [3]. ...

... IPsec selectors under IIPtran can express the same set of policies as conventional IPsec tunnel mode. Note that in both cases, these policy enforcement rules violate ...

... For secure VN links established via IPsec tunnel mode SAs, the selectors for the inner (VN ...

... routing. In this example, A has IPsec tunnel mode SAs to B and C. If the selectors for the virtual source and destination IP addresses ...

... also acts as a tunnel management protocol (when IPsec tunnel mode SAs are configured), and negotiates security policies ...

... However, since IIPtran eliminates IPsec tunnel mode, it could also simplify IKE, by limiting it to its original purpose of key exchange ...

9. Appendix A. Encapsulation/Decapsulation Issues

... IANA [2]. The use of IPIP inside an IPsec transport packet can be confused with IPsec tunnel mode, because IPsec does not specify any limits on the types of IP packets ...

... encapsulation combined with IPsec transport mode and an IPsec tunnel mode packet look identical on the wire. Thus, when an IPsec'ed packet arrives ...

A - B - C - D - E - F - G - H - I - K - L - M - N - O - P - R - S - T - U - V - W

Previous | Next

Frontpage | Contents | Keywords

RFC-Ref.org

Sister Sites

Chess-Ref.org
Law-Ref.org
InChI.info
Zvon.org