routing
Click on the red underlined text to get to the source
... virtual links established
by IPsec tunnel mode can conflict with routing and forwarding inside
the VN, due to the IP routing ...
... routing and forwarding inside
the VN, due to the IP routing dependence on references to interfaces
and next-hop ...
... Later sections of this document compare IIPtran to other proposals
for dynamic routing inside VPNs, focusing on the impact the different
proposals have on the overall IPsec architecture ...
... VPNs, focusing on the impact the different
proposals have on the overall IPsec architecture, routing protocols,
security policy enforcement, and the Internet Key Exchange ...
... themselves. It can provide an additional level of hop-by-hop network
security to secure routing in the VPN and isolate the traffic of
...
... tunnel mode processing, as far as it is relevant for the
understanding of the problem scenarios that follow. The following
sections discuss routing problems in detail, based on a common
example.
...
... 1]. Such
hop-by-hop security can be useful, for example, to secure VN routing,
and when legacy end systems do not support end-to-end IPsec ...
... additional header fields and inner
headers can be used, e.g., in policy routing.)
In Figure 3, traffic ...
... Dynamically routed gateways forward packets based on a forwarding
table managed by a routing daemon that exchanges connectivity
information with directly connected peers by communicating on its
local interfaces ...
... lookup and the subsequent tunnel
mode processing both ignore the contents of the existing IP
forwarding table, whether static or dynamic routing are used. This
type of tunnel mode processing is thus incompatible with dynamically
...
... addresses. Thus,
they can be references in node's routing table (supporting static
routing), as well as used by dynamic routing daemons for local
...
... they can be references in node's routing table (supporting static
routing), as well as used by dynamic routing daemons for local
communication of reachability ...
... node's routing table (supporting static
routing), as well as used by dynamic routing daemons for local
communication of reachability information.
...
... IIPtran
provides further details on this configuration, and demonstrates how
it enables dynamic routing in a virtual network.
...
... provide a complete virtual network that can support static or dynamic
routing. The proposed solution of using IPIP tunnel with IPsec
transport mode decouples IPsec processing ...
... IPIP tunnel with IPsec
transport mode decouples IPsec processing from routing and
forwarding. IIPtran's use of IPsec ...
... a number of proposed alternatives, and compares their effect on the
IPsec architecture, routing, and policy enforcement, among others, to
IIPtran.
...
...
This section gives a brief overview of a number of alternative
proposals that aim at establishing support for dynamic routing for
IPsec-secured VNs. The following section then compares these
...
... negotiation.
This approach supports dynamic routing and existing source address
selection rules, but requires extensions to the IPsec architecture ...
...
In the third alternative, the routing protocols and forwarding
mechanisms are modified to consult both the routing tables and SADs ...
... In the third alternative, the routing protocols and forwarding
mechanisms are modified to consult both the routing tables and SADs
to make forwarding decision. To prevent IPsec processing ...
... to make forwarding decision. To prevent IPsec processing from
interfering with routing, forwarding table lookup must precede SAD
...
... lookup.
This approach supports dynamic routing, but requires changes to
routing mechanisms such that SAD ...
... This approach supports dynamic routing, but requires changes to
routing mechanisms such that SAD contents are included in the route
...
... VN Routing Support and Complexity ...
... This section investigates whether the three alternatives and IIPtran
support VN routing, especially dynamic routing based on existing IP
routing protocols.
...
... IIPtran
support VN routing, especially dynamic routing based on existing IP
routing protocols.
...
... support VN routing, especially dynamic routing based on existing IP
routing protocols.
Both IIPtran ...
... VN links as full-fledged devices that can be
referred to in the routing table, as well as used for local
communication by dynamic routing protocols. They both support static
...
... referred to in the routing table, as well as used for local
communication by dynamic routing protocols. They both support static
and dynamic VN routing.
...
... communication by dynamic routing protocols. They both support static
and dynamic VN routing.
However, because the current IPsec architecture ...
... 2].
Alternative 3 supports dynamic VN routing, but requires modifying
routing protocols and forwarding lookup ...
... Alternative 3 supports dynamic VN routing, but requires modifying
routing protocols and forwarding lookup mechanisms to act or
synchronize based on SAD ...
... synchronize based on SAD entries. This requires substantial changes
to routing software and forwarding mechanisms in all participating
nodes to interface ...
... tunnel mode SAs that specify port selectors would
operate under this scheme, since IP routing has no dependence on
transport-layer fields.
...
... transport-layer fields.
Alternative 2 does not support dynamic VN routing. The additional
forwarding lookup before IPsec processing ...
... SAs are not represented as interfaces, and thus
invisible to IP routing protocols.
Additionally, the forwarding lookup ...
... destination IP address.
Because alternative 2 fails to support VN routing, it will not be
discussed in the remainder of this section.
...
... SAs to be represented as full-fledged
interfaces, for the purpose of routing. SAD changes must furthermore
dynamically update ...
... encapsulation), and thus lead to processing loops. Multiple tunnel
mode SAs are prohibited, because dynamic routing algorithms construct
topology ...
... SA interface can
cause routing events on one virtual link to apply incorrectly to
other links ...
... physical interfaces may contain IPsec
transport mode SAs; otherwise, the current issues with VN routing
remain unsolved.
...
... VN) source and destination IP addresses
often need to be wildcarded to support dynamic routing in a VN.
Thus, the limitation described in 4.2.3.1 (without the proposed
...
... VPN, or an existing node that had been disconnected and was just
rediscovered via dynamic routing.
In this example, A has IPsec tunnel mode ...
... transport header content is
policy routing. Different SAs can apply to different applications,
resulting in different apparent virtual topologies ...
... topologies. IIPtran supports
policy routing in a more modular way, by having existing policy
routing implementations forward traffic ...
... policy routing in a more modular way, by having existing policy
routing implementations forward traffic over multiple, parallel VNs.
IIPtran ...
... IIPtran supports arbitrary IP-based policy routing schemes, while
policies are limited by the expressiveness of IPsec's selectors in
...
...
This document presents a mechanism consistent with the current use of
IPsec which supports dynamic routing inside a virtual network that
uses IPsec ...
... links. It illustrates how current use of
IPsec tunnel mode can fail to support dynamic VN routing (depending
on the implementation), and compares IIPtran with several different
...