RFC 3884:Use of IPsec Transport Mode for Dynamic R...
RFC-Ref

A - B - C - D - E - F - G - H - I - K - L - M - N - O - P - R - S - T - U - V - W

network

Click on the red underlined text to get to the source

1. Introduction
... IPsec can be used to secure the links of a virtual network (VN), creating a secure VN ...
... VN, trusted routers inside the network dynamically forward packets in the clear (internally), and exchange the packets on secure tunnels, where paths may traverse ...
... tunnels, where paths may traverse multiple tunnels. Contrast this to the conventional 'virtual private network' (VPN), which often assumes that paths tend to traverse one secure tunnel ...
... VN allows this secure core to be distributed, composed of trusted or privately-managed resources anywhere in the network. This document addresses ...
... 2000, entitled "Use of IPSEC Transport Mode for Virtual Networks," and was first presented in the IPsec WG ...


2. Problem Description
... Virtual networks connect subsets of resources of an underlying base network, and present the result as a virtual network ...
... Virtual networks connect subsets of resources of an underlying base network, and present the result as a virtual network layer to upper- ...
... networks connect subsets of resources of an underlying base network, and present the result as a virtual network layer to upper- layer protocols ...
... layer to upper- layer protocols. Similar to a real network, virtual networks consist of virtual hosts ...
... layer protocols. Similar to a real network, virtual networks consist of virtual hosts (packet sources and sinks) and virtual routers ...
... virtual hosts (packet sources and sinks) and virtual routers (packet transits), both of which can have a number of network interfaces, and links, which connect multiple network interfaces ...
... (packet transits), both of which can have a number of network interfaces, and links, which connect multiple network interfaces together. Virtual links ...
... links or paths (sequences of connected links) in the underlying base network. Base network ...
... network. Base network hosts and routers can be part of multiple virtual ...
... hosts and routers can be part of multiple virtual networks at the same time, and their role in the base network does ...
... networks at the same time, and their role in the base network does not need to coincide with their role in a virtual network ...
... network does not need to coincide with their role in a virtual network (i.e., base network hosts ...
... role in a virtual network (i.e., base network hosts may act as VN routers ...
... VN routers or hosts, as may base network routers). ...
... VN, or even only allow them to be part of the VN and not the base network, substituting the VN for the Internet. The ...
... hosts do not support secure communication themselves. It can provide an additional level of hop-by-hop network security to secure routing in the VPN and isolate the traffic ...
... C ---...--- Figure 3: Topology of a Virtual Network Two problems arise; one is forwarding of VN ...
... The problem occurs when A tries to decide how to forward the packet X->Y. In a regular IP network, this decision depends on a forwarding lookup on destination address ...
... IP packets before transmission. When an end system is connected to multiple networks, it must set the source address properly to receive return traffic ...
... source address properly to receive return traffic over the correct network. When a node participates in a virtual network, it is always ...
... network. When a node participates in a virtual network, it is always connected to two networks, the base network ...
... node participates in a virtual network, it is always connected to two networks, the base network and the VN (more if it ...
... virtual network, it is always connected to two networks, the base network and the VN (more if it connects to at least two VNs.) The IPsec ...
... selection. For example, when communication occurs over a virtual network, the source address must lie inside the VN ...
... 7], the IP source address of an outbound packet should: (1) for directly connected networks derive from the corresponding interface, or (2) derive from existing dynamic or static route entries ...
... default gateway for a host provides connectivity in the base network underlying the VN. The outgoing packet will thus have a source address ...
... VN. The outgoing packet will thus have a source address in the base network, and a destination address in the VN ...
... source address of that host's base network (via the default route) and a destination address ...


3. IIPtran: IPIP Tunnel Devices + IPsec Transport Mode
... security gateways, the gateways themselves source or sink base network traffic when tunneling - they act as hosts ...
... tunneling - they act as hosts in the base network. Thus, IPsec transport mode is also appropriate, if not required, for encapsulated ...
... use of IPsec, either inside a VPN or in the base network; it only adds IPsec protection to secure virtual links. ...
... MobileIP, it has often been adopted when virtual topologies were required. Examples include virtual (overlay) networks to support emerging protocols such as IP Multicast, IPv6 ...
... IPv6, and Mobile IP itself, as well as systems that provide private networks over the Internet (X-Bone [3 ...
... SAs breaks, because tunnel mode SAs are not required to be network interfaces. IIPtran uses RFC 2003prop IPIP tunnels ...
... 2] to establish the topology of the virtual network. RFC 2003prop [2] requires that IPIP ...
... provides further details on this configuration, and demonstrates how it enables dynamic routing in a virtual network. It is important to note that the RFC 2003prop ...
... tunnels [2] already provide a complete virtual network that can support static or dynamic routing. The proposed solution of using IPIP tunnel ...


4. Comparison
... IPsec tunnel mode SA is required to act as a full-fledged network interface. This SA interface acts as ...
... tunnel mode packet, i.e., usually a physical interface in the base network. The tunnel mode SA lookup following the forwarding lookup ...
... extension header." This recognizes that with IPIP encapsulation, IP VNs use the base IP network as a link layer. Although this small extension to IPsec ...
... port-based selectors. The next section discusses that selectors may not be useful for virtual networks. ...
... C Figure 6: Topology of a Virtual Network Thus, IPsec ...
... follow these steps: (1) IKE negotiation in the base network to secure (2) a subsequent tunnel management ...
... tunnel management exchange [8] in the base network, followed by (3) IKE exchanges over the established tunnel ...


6. Summary and Recommendations
... This document presents a mechanism consistent with the current use of IPsec which supports dynamic routing inside a virtual network that uses IPsec to secure its links ...


7. Acknowledgments
... document in the KAME IPv6/IPsec network stack. Members of several IETF WGs (especially IPsec ...


8. References
... Internet overlay deployment and management using the X-Bone", Computer Networks Vol. 36, No. 2-3, July 2001. ...
... Touch, J., Wang, Y., Eggert, L. and G. Finn, "A Virtual Internet Architecture", ISI Technical Report ISI-TR-570, Workshop on Future Directions in Network Architecture (FDNA) 2003, March 2003. ...


10. Authors' Addresses
... Lars Eggert NEC Network Laboratories Kurfuersten-Anlage 36 Heidelberg 69115 ...

A - B - C - D - E - F - G - H - I - K - L - M - N - O - P - R - S - T - U - V - W

Google
Web
RFC-Ref
RFC-Ref.org
Frontpage
Global Index
RFC
Sister Sites
Chess-Ref.org
Law-Ref.org
InChI.info
Zvon.org