lookup
Click on the red underlined text to get to the source
... are based on the result of a "security association" (SA) lookup that
uses the contents of the original packet header (Figure 1, arrow) as
...
... | |
+-------------+
SA Lookup
Figure 1: Outbound Packet Construction under IPsec Transport Mode ...
... receiving packets secured with IPsec transport mode, a similar
SA lookup occurs based on the IP and IPsec headers ...
... | | | |
| +--------------+ |
| SA Lookup |
| |
+---------------------------------+
...
... receiving packets secured with tunnel mode IPsec, an SA lookup
occurs based on the contents of the IPsec header and the outer IP
header ...
... X->Y. In a regular IP network, this decision depends on a forwarding
lookup on destination address Y, which indicates the IP address of
...
... interface. In the
case of a VN, forwarding lookups occur on virtual destination
addresses. For the forwarding lookup on such a virtual destination
address ...
... VN, forwarding lookups occur on virtual destination
addresses. For the forwarding lookup on such a virtual destination
address to succeed, routes through virtual interfaces (tunnels ...
... SAs is
invisible to the IP forwarding mechanism. The lookup uses matching
rules in the SA lookup process, closer to firewall ...
... IP forwarding mechanism. The lookup uses matching
rules in the SA lookup process, closer to firewall matching than
traditional IP forwarding ...
... firewall matching than
traditional IP forwarding lookups, and independent from existing IP
forwarding tables. The SA lookup determines which virtual link ...
... IP forwarding lookups, and independent from existing IP
forwarding tables. The SA lookup determines which virtual link the
packet will be forwarded over, because the tunnel mode SA ...
... tunnel mode SA includes
encapsulation information. This lookup and the subsequent tunnel
mode processing both ignore the contents of the existing IP
forwarding table, whether static or dynamic routing ...
... | | | |
| +---------------+ |
| SA Lookup |
| |
+----------------------------------+
...
...
A second alternative is the addition of an extra forwarding lookup
before IPsec tunnel mode processing. This forwarding lookup ...
... lookup
before IPsec tunnel mode processing. This forwarding lookup will
return a "virtual interface" identifier ...
... 1], two variants are presumed possible:
In the first scenario, the extra forwarding lookup indicates the
outbound interface of the final encapsulated ...
... physical interface in the base network. The tunnel
mode SA lookup following the forwarding lookup will occur in the
per-interface ...
... network. The tunnel
mode SA lookup following the forwarding lookup will occur in the
per-interface SAD ...
... interface.
In the second scenario, the extra forwarding lookup returns an
outbound tunnel SA ...
... IPsec processing from
interfering with routing, forwarding table lookup must precede SAD
lookup ...
... VN routing, but requires modifying
routing protocols and forwarding lookup mechanisms to act or
synchronize based on SAD entries. This requires substantial changes
...
... Alternative 2 does not support dynamic VN routing. The additional
forwarding lookup before IPsec processing is irrelevant, because
IPsec tunnel mode ...
... IP routing protocols.
Additionally, the forwarding lookup suggested for alternative 2 is
not compatible with a weak ES model described in [1 ...
... outgoing interface and thus same SAD. The forwarding lookup would
return only the interface; lacking the next-hop ...
... transport header matches,
because SA lookup occurs before decapsulation. A small extension to
IPsec ...