SA
Click on the red underlined text to get to the source
... IPsec header
are based on the result of a "security association" (SA) lookup that
uses the contents of the original packet header ...
... | |
+-------------+
SA Lookup
Figure 1: Outbound Packet Construction under IPsec Transport Mode ...
... receiving packets secured with IPsec transport mode, a similar
SA lookup occurs based on the IP and IPsec headers ...
... IPsec processing that checks the contents of
the packet and its payload against the respective SA. The
verification step is similar to firewall ...
... IPsec then secures. This has been described [1] as "a
tunnel mode SA is essentially a [transport mode] SA applied to an IP
tunnel ...
... tunnel mode SA is essentially a [transport mode] SA applied to an IP
tunnel." However, there are significant differences between the two,
as described in the remainder of this section.
...
... IPsec SA, as for transport mode. However, a tunnel mode SA also
contains encapsulation information, including the source and
...
... | | | |
| +--------------+ |
| SA Lookup |
| |
+---------------------------------+
...
... receiving packets secured with tunnel mode IPsec, an SA lookup
occurs based on the contents of the IPsec header and the outer IP
header ...
... authenticated based on its
IPsec header and the SA, followed by a verification step that checks
the contents of the original packet and its payload ...
... topology with virtual links established by IPsec
tunnel mode SAs, as would be required for compliance with [1]. Such
hop-by-hop security ...
... destination IP address and
the contents of the forwarding table. However, the IPsec
architecture does not define if and how tunnel mode SAs are
represented in the forwarding table.
...
... exist in the forwarding table.
There are two common implementation scenarios for tunnel mode SAs:
One is based on firewall-like packet matching operations where tunnel
mode SAs ...
... tunnel mode SAs:
One is based on firewall-like packet matching operations where tunnel
mode SAs are not virtual interfaces, another is tunnel-based, and
...
... interfaces, another is tunnel-based, and
treats a tunnel mode SA as a virtual interface. The current IPsec
architecture does not mandate one or the other.
...
...
Under the first approach, the presence of IPsec tunnel mode SAs is
invisible to the IP forwarding mechanism. The lookup ...
... IP forwarding mechanism. The lookup uses matching
rules in the SA lookup process, closer to firewall matching than
traditional IP forwarding ...
... IP forwarding lookups, and independent from existing IP
forwarding tables. The SA lookup determines which virtual link the
packet will be forwarded over, because the tunnel mode SA ...
... SA lookup determines which virtual link the
packet will be forwarded over, because the tunnel mode SA includes
encapsulation information. This lookup ...
... VPNs.
The second approach - requiring tunnel mode SAs to be interfaces -
can be compatible with dynamically routed VPNs ...
... connects to at least two VNs.) The IPsec specification currently does
not define how tunnel mode SAs integrate with source address
selection.
...
...
Because IPsec tunnel mode SAs are not required to be interfaces,
rules (1) and (2) may not return a usable source address ...
... | | | |
| +---------------+ |
| SA Lookup |
| |
+----------------------------------+
...
... Section 2.3 described how IP forwarding over IPsec tunnel mode SAs
breaks, because tunnel mode SAs are not required to be network
interfaces ...
... IPsec tunnel mode SAs
breaks, because tunnel mode SAs are not required to be network
interfaces. IIPtran uses RFC 2003prop ...
... VN links, instead of IPsec
tunnel mode SAs, allows existing multihoming solutions for source
address selection [1 ...
...
In the first alternative, each IPsec tunnel mode SA is required to
act as a full-fledged network interface. This SA ...
... SA is required to
act as a full-fledged network interface. This SA interface acts as
the outbound interface ...
... destination's forwarding table
entry. IPsec dynamically updates the SA interface configuration in
response to SAD ...
... selection rules, but requires extensions to the IPsec architecture
that define tunnel mode SA interfaces and their associated management
...
... i.e., usually a physical interface in the base network. The tunnel
mode SA lookup following the forwarding lookup will occur in the
...
... lookup returns an
outbound tunnel SA interface. This solution seems to be equivalent
to the one described above (Section 4.1.1), i.e., all tunnel mode SAs ...
... SA interface. This solution seems to be equivalent
to the one described above (Section 4.1.1), i.e., all tunnel mode SAs
must be interfaces, and is not discussed separately below.
...
... However, because the current IPsec architecture does not require
tunnel mode SAs to behave similarly to interfaces (some implementers
...
... alternative 1 requires extensions to the current IPsec architecture
that define the exact behavior of tunnel mode SAs. The proposed
solution does not require any such changes to IPsec, and for tunnels ...
... Internet standards. It is also
not clear how tunnel mode SAs that specify port selectors would
operate under this scheme, since IP routing ...
... IPsec processing is irrelevant, because
IPsec tunnel mode SAs are not represented as interfaces, and thus
invisible to IP routing protocols ...
... gateway would not
help, because the SAD is not indexed by tunnel mode SA encapsulation
destination IP address ...
... IPsec
architecture, greatly simplifying the specification.
Alternative 1 requires SAs to be represented as full-fledged
interfaces, for the purpose of routing ...
... SAD changes must furthermore
dynamically update the configuration of these SA interfaces. The
IPsec architecture ...
... SADs as a
component of IPsec. When tunnel mode SAs themselves act as
interfaces, the function of per-interface ...
... interface SAD must contain exactly one IPsec
tunnel mode SA. Transport mode SAs are prohibited, because they
...
... IPsec
tunnel mode SA. Transport mode SAs are prohibited, because they
would not result in IP encapsulation (the encapsulation ...
... part of the tunnel mode SA, a transport mode SA would not cause
encapsulation), and thus lead to processing loops. Multiple tunnel
mode SAs ...
... SA would not cause
encapsulation), and thus lead to processing loops. Multiple tunnel
mode SAs are prohibited, because dynamic routing algorithms construct
...
... SAD of physical interfaces may contain IPsec
transport mode SAs; otherwise, the current issues with VN routing
remain unsolved.
...
...
In summary, these restrictions cause the SADs of SA interfaces to
contain only tunnel mode SAs ...
... payload
against the respective IPsec tunnel mode SA. IIPtran uses IPsec
transport mode to decrypt and verify the incoming packet ...
... IPsec architecture document [1], IPsec
processing should retain information about what SAs matched a given
packet, for subsequent IPsec or firewall ...
...
When looking up an SA for a given packet, IPsec allows selectors to
match on the contents of the IP header ...
... transport header matches,
because SA lookup occurs before decapsulation. A small extension to
IPsec ...
... VN links established via IPsec tunnel mode SAs, the
selectors for the inner (VN) source and destination IP addresses ...
...
In this example, A has IPsec tunnel mode SAs to B and C. If the
selectors for the virtual source and destination IP addresses for
...
... selectors for the virtual source and destination IP addresses for
those SAs are not wildcards, the SA needs to be dynamically modified
...
... those SAs are not wildcards, the SA needs to be dynamically modified
to permit packets from N to pass over the tunnels to B and C. This
...
... expected. A consequence might be that IIPtran - even without
extensions to support the full expressiveness of tunnel mode SA
selectors as described above - can still support the majority of VPN
...
... header content is
policy routing. Different SAs can apply to different applications,
resulting in different apparent virtual topologies. IIPtran ...
... using IPsec without having used IKE to negotiate keys
(through manually keyed SAs, for example). Despite its name, IKE
also acts as a tunnel ...
... tunnel management protocol (when IPsec tunnel mode SAs
are configured), and negotiates security policies between the peers.
...
... IKE with IIPtran is to negotiate a
tunnel mode SA, and then treat it as a transport mode SA against an
...
... tunnel mode SA, and then treat it as a transport mode SA against an
IPIP tunnel when communicating with conventional peers. For policies
...
... defines conflicting rules, where that flag and other similar fields
(TOS, etc.) may be copied, cleared, or set as specified by an SA.
The IPsec ...
... IPIP encapsulation not permit the clearing of
the outer DF flag. When the SA requires clearing the DF flag, and
the inner packet ...
... IP). IPsec requires the
SA matching a received packet to indicate whether to apply tunnel
mode or transport mode.
...