A - B - C - D - E - F - G - H - I - K - L - M - N - O - P - R - S - T - U - V - W

tunnel

Click on the red underlined text to get to the source

... IP security architecture (IPsec) consists of two modes, transport mode and tunnel mode [1]. Transport mode is allowed between two end ...

... Transport mode is allowed between two end hosts only; tunnel mode is required when at least one of the endpoints is a "security gateway ...

... network dynamically forward packets in the clear (internally), and exchange the packets on secure tunnels, where paths may traverse multiple tunnels. Contrast this to the conventional 'virtual private network ...

... exchange the packets on secure tunnels, where paths may traverse multiple tunnels. Contrast this to the conventional 'virtual private network' (VPN), which often assumes that paths tend to traverse one ...

... virtual private network' (VPN), which often assumes that paths tend to traverse one secure tunnel to resources in a secure core. A general secure VN allows this secure core to be distributed, composed of trusted or ...

... VN. It describes how virtual links established by IPsec tunnel mode can conflict with routing and forwarding inside the VN ...

... This document proposes a solution called IIPtran that separates the step of IP tunnel encapsulation from IPsec processing. The solution ...

... 9][10]. An appendix addresses IP tunnel processing issues in IPsec related to IPIP encapsulation ...

2. Problem Description

... interfaces together. Virtual links (also called tunnels, especially when point-to-point) are one-hop links ...

... topology of an IPsec VPN commonly consists of IPsec tunnel mode virtual links, as required by the IPsec architecture ...

... 1]. However, this current required use of IPsec tunnel mode can be incompatible with dynamic routing [3 ...

... The next section provides a short overview on IPsec transport and tunnel mode processing, as far as it is relevant for the understanding of the problem scenarios that follow. The following sections discuss routing ...

... There are two modes of IPsec, transport mode and tunnel mode [1]. Transport mode ...

... IP header and the payload; tunnel mode adds an additional IP header before performing similar operations. This section gives a short ...

... firewall processing. When using tunnel mode, IPsec prepends an IPsec header and an ...

... IPsec then secures. This has been described [1] as "a tunnel mode SA is essentially a [transport mode] SA applied to an IP tunnel ...

... tunnel mode SA is essentially a [transport mode] SA applied to an IP tunnel." However, there are significant differences between the two, as described in the remainder of this section. ...

... as described in the remainder of this section. In IPsec tunnel mode, the IP header of the original outbound packet together with its payload ...

... IPsec SA, as for transport mode. However, a tunnel mode SA also contains encapsulation information, including the source and ...

... encapsulation information, including the source and destination IP addresses for the outer tunnel IP header, which is also based on the original outbound packet header ...

... (Figure 2, arrows). Outbound Packet (IPsec Tunnel Mode) +==================+==============+-----------------+---------+ | Tunnel ...

... IPsec Tunnel Mode) +==================+==============+-----------------+---------+ | Tunnel IP Header | IPsec Header | Orig. IP Header ...

... IP Encapsulation Figure 2: Outbound Packet Construction under IPsec Tunnel Mode When receiving ...

... When receiving packets secured with tunnel mode IPsec, an SA lookup ...

... VPN topology with virtual links established by IPsec tunnel mode SAs, as would be required for compliance with [1]. Such ...

... Two problems arise; one is forwarding of VN traffic over IPsec tunnel mode links, the other is source address selection on VN ...

... destination IP address and the contents of the forwarding table. However, the IPsec architecture does not define if and how tunnel mode SAs are represented in the forwarding table. ...

... lookup on such a virtual destination address to succeed, routes through virtual interfaces (tunnels) must exist in the forwarding table. ...

... exist in the forwarding table. There are two common implementation scenarios for tunnel mode SAs: One is based on firewall-like packet matching operations where tunnel mode SAs ...

... tunnel mode SAs: One is based on firewall-like packet matching operations where tunnel mode SAs are not virtual interfaces, another is tunnel-based, and ...

... firewall-like packet matching operations where tunnel mode SAs are not virtual interfaces, another is tunnel-based, and treats a tunnel mode SA as a virtual interface ...

... interfaces, another is tunnel-based, and treats a tunnel mode SA as a virtual interface. The current IPsec architecture does not mandate one or the other. ...

... IPsec architecture does not mandate one or the other. Under the first approach, the presence of IPsec tunnel mode SAs is invisible to the IP forwarding ...

... SA lookup determines which virtual link the packet will be forwarded over, because the tunnel mode SA includes encapsulation information. This lookup ...

... encapsulation information. This lookup and the subsequent tunnel mode processing both ignore the contents of the existing IP forwarding table, whether static or dynamic routing are used. This ...

... IP forwarding table, whether static or dynamic routing are used. This type of tunnel mode processing is thus incompatible with dynamically routed VPNs. ...

... VPNs. The second approach - requiring tunnel mode SAs to be interfaces - can be compatible with dynamically routed VPNs ...

... connects to at least two VNs.) The IPsec specification currently does not define how tunnel mode SAs integrate with source address selection. ...

... the source address must be the IP address of X's local end of tunnel 1. If host A, which has multiple interfaces ...

... source address must be the IP address of the local end of either tunnel 3 or 4. Most applications do not bind to a specific source IP address ...

... default gateway. Because IPsec tunnel mode SAs are not required to be interfaces, ...

... security. Consider two cases, one with IPsec tunnels configured with no wildcard tunnel addresses ...

... IPsec tunnels configured with no wildcard tunnel addresses, the other using certain wildcards ...

... default route) and a destination address of the remote tunnel endpoint. ...

3. IIPtran: IPIP Tunnel Devices + IPsec Transport Mode

... IIPtran: IPIP Tunnel Devices + IPsec Transport Mode ...

... IIPtran - for the two issues identified above. IIPtran replaces IPsec tunnel mode with a combination of IPIP tunnel interfaces ...

... IIPtran replaces IPsec tunnel mode with a combination of IPIP tunnel interfaces that support forwarding and source address ...

... use of IPsec transport mode and IPsec tunnel mode (host-to-host communication for the former, and all transit communication for the latter). IIPtran ...

... IPsec transport mode for transit communication. However, for an IPIP tunnel between security gateways, the gateways ...

... 1]. As a result, replacing IPsec tunnel mode with IPIP tunnel devices and IPsec transport mode ...

... As a result, replacing IPsec tunnel mode with IPIP tunnel devices and IPsec transport mode is consistent with the existing architecture ...

... IIPtran uses IPIP tunnels (as defined in RFC 2003^prop [2]), followed by ...

... 2003^prop [2], tunnels an existing IP packet by prepending it with another IP header ...

... (Figure 4.) Outbound Packet (IPIP Tunnel) +==================+-----------------+---------+ | Tunnel ...

... IPIP Tunnel) +==================+-----------------+---------+ | Tunnel IP Header | Orig. IP Header | Payload ...

... IPIP Encapsulation Figure 4: Outbound Packet Construction for IPIP Tunnel IIPtran ...

... 5.) Outbound Packet (IPIP Tunnel + IPsec Transport Mode) +==================+==============+-----------------+---------+ ...

... IPsec Transport Mode) +==================+==============+-----------------+---------+ | Tunnel IP Header | IPsec Header | Orig. IP Header ...

... IPIP Encapsulation Figure 5: Outbound Packet Construction for IPIP Tunnel with IPsec Transport Mode ...

... IPsec header is based on the outer IP header, whereas under IPsec tunnel mode processing, the IPsec header depends on the contents of the inner IP header ...

... VPN packet (Figure 5) on the wire cannot be distinguished from a VPN packet generated by IPsec tunnel mode processing (Figure 2); and the two methods inter-operate, given ...

... A detailed discussion of the differences between IIPtran, IPsec tunnel mode, and other proposed mechanisms follows in Section 4. The remainder of this section will describe how IIPtran combines IPIP tunnel devices ...

... IPsec tunnel mode, and other proposed mechanisms follows in Section 4. The remainder of this section will describe how IIPtran combines IPIP tunnel devices with IPsec transport mode to solve the problems identified in Section 2. ...

... Section 2.3 described how IP forwarding over IPsec tunnel mode SAs breaks, because tunnel mode SAs ...

... IPsec tunnel mode SAs breaks, because tunnel mode SAs are not required to be network interfaces. IIPtran uses RFC 2003^prop ...

... network interfaces. IIPtran uses RFC 2003^prop IPIP tunnels [2] to establish the topology ...

... 2003^prop [2] requires that IPIP tunnels can be routed to, and have configurable addresses. Thus, they can be references in node ...

... It is important to note that the RFC 2003^prop IPIP tunnels [2] already provide a complete virtual network ...

... virtual network that can support static or dynamic routing. The proposed solution of using IPIP tunnel with IPsec transport mode decouples IPsec processing from routing ...

... Using RFC 2003^prop IPIP tunnel devices [2] for VN links ...

... 2] for VN links, instead of IPsec tunnel mode SAs, allows existing multihoming solutions for source address ...

... interface, which is in turn determined by existing forwarding mechanism. Because IPIP tunnels are full-fledged interfaces with associated routes (as in Section 3.2 of [2 ...

4. Comparison

... The previous sections described problems when IPsec tunnel mode provides VPN links ...

... In the first alternative, each IPsec tunnel mode SA is required to act as a full-fledged network interface ...

... selection rules, but requires extensions to the IPsec architecture that define tunnel mode SA interfaces and their associated management ...

... IPIP encapsulation [2], including the association of tunnels with interfaces, inside IPsec ...

... A second alternative is the addition of an extra forwarding lookup before IPsec tunnel mode processing. This forwarding lookup will return a "virtual interface ...

... outbound interface of the final encapsulated tunnel mode packet, i.e., usually a physical interface in the base network ...

... i.e., usually a physical interface in the base network. The tunnel mode SA lookup following the forwarding lookup will occur in the ...

... In the second scenario, the extra forwarding lookup returns an outbound tunnel SA interface. This solution seems to be equivalent ...

... SA interface. This solution seems to be equivalent to the one described above (Section 4.1.1), i.e., all tunnel mode SAs must be interfaces, and is not discussed separately below. ...

... Both IIPtran (IPIP tunnels + transport mode) and alternative 1 (per- SA ...

... However, because the current IPsec architecture does not require tunnel mode SAs to behave similarly to interfaces (some implementers ...

... alternative 1 requires extensions to the current IPsec architecture that define the exact behavior of tunnel mode SAs. The proposed solution does not require any such changes to IPsec, and for tunnels ...

... tunnel mode SAs. The proposed solution does not require any such changes to IPsec, and for tunnels RFC 2003^prop already specifies those requirements ...

... Internet standards. It is also not clear how tunnel mode SAs that specify port selectors would operate under this scheme, since IP routing ...

... lookup before IPsec processing is irrelevant, because IPsec tunnel mode SAs are not represented as interfaces, and thus ...

... next-hop gateway. For example, multiple tunnels can use the same outgoing interface and thus same SAD ...

... gateway would not help, because the SAD is not indexed by tunnel mode SA encapsulation destination IP address ...

... encapsulation is already a property of interface processing, and thus relies on IPIP tunnel devices to handle the IPIP encapsulation for VN ...

... IPIP encapsulation for VN links. Tunnel mode IPsec thus becomes unnecessary and can potentially be removed ...

... SADs as a component of IPsec. When tunnel mode SAs themselves act as interfaces, the function of per-interface ...

... follows: First, each tunnel interface SAD must contain exactly one IPsec tunnel mode ...

... tunnel interface SAD must contain exactly one IPsec tunnel mode SA. Transport mode SAs ...

... encapsulation header is part of the tunnel mode SA, a transport mode SA would not cause ...

... SA would not cause encapsulation), and thus lead to processing loops. Multiple tunnel mode SAs are prohibited, because dynamic routing algorithms construct ...

... per-interface communication. Merging different virtual links (tunnels) into a single SA interface can ...

... SA interfaces to contain only tunnel mode SAs, and the SADs of regular interfaces to ...

... contain only transport mode SAs. Thus, tunnel encapsulation essentially becomes a unique property of the interface ...

... IIPtran already recognizes this property. Consequently, it uses IPIP tunnels directly, and combines them with transport mode processing. By eliminating the use of tunnel mode ...

... tunnels directly, and combines them with transport mode processing. By eliminating the use of tunnel mode, it removes the need for additional constraints ...

... On receiving a packet, both IPsec tunnel mode and IIPtran decrypt and/or authenticate ...

... IIPtran decrypt and/or authenticate the packet with the same techniques. IPsec tunnel mode decapsulates and decrypts the packet in a single step, followed by a policy check of the inner packet ...

... inner packet and its payload against the respective IPsec tunnel mode SA. IIPtran uses IPsec transport mode ...

... and its payload using firewall mechanisms, similar to IPsec tunnel mode processing. The primary difference between the two is that IPsec tunnel mode ...

... IPsec tunnel mode processing. The primary difference between the two is that IPsec tunnel mode does not require a separate processing step for validating packets; once IPsec ...

... IIPtran accepts incoming VN packets only if they have arrived over a specific IPIP tunnel that was secured with IPsec transport mode, but as a separate step following IPIP decapsulation. ...

... decapsulation. Note that IPsec tunnel mode and IIPtran are interoperable [3]. ...

... IIPtran, the SA lookup starts on the outer (tunnel) header, and selectors including port number ...

... IPsec selectors under IIPtran can express the same set of policies as conventional IPsec tunnel mode. Note that in both cases, these policy enforcement rules violate ...

... For secure VN links established via IPsec tunnel mode SAs, the selectors for the inner (VN ...

... routing. In this example, A has IPsec tunnel mode SAs to B and C. If the selectors for the virtual source and destination IP addresses ...

... wildcards, the SA needs to be dynamically modified to permit packets from N to pass over the tunnels to B and C. This becomes quickly impractical as VPN sizes grow. ...

... expected. A consequence might be that IIPtran - even without extensions to support the full expressiveness of tunnel mode SA selectors as described above - can still support the majority of VPN ...

... SAs, for example). Despite its name, IKE also acts as a tunnel management protocol (when IPsec tunnel mode SAs ...

... also acts as a tunnel management protocol (when IPsec tunnel mode SAs are configured), and negotiates security policies ...

... IKE with IIPtran is to negotiate a tunnel mode SA, and then treat it as a transport mode SA against an ...

... transport mode SA against an IPIP tunnel when communicating with conventional peers. For policies that do not specify selectors based on transport-layer information, ...

... However, since IIPtran eliminates IPsec tunnel mode, it could also simplify IKE, by limiting it to its original purpose of key exchange ...

... IKE, by limiting it to its original purpose of key exchange. A new tunnel management protocol (e.g., ATMP [8]) would set up IPIP ...

... management protocol (e.g., ATMP [8]) would set up IPIP tunnels, use an as of yet unspecified second protocol to negotiate security policy, and then use IKE ...

... negotiation in the base network to secure (2) a subsequent tunnel management exchange [8] in the base network ...

... network, followed by (3) IKE exchanges over the established tunnel to create a secure VPN ...

6. Summary and Recommendations

... IPsec to secure its links. It illustrates how current use of IPsec tunnel mode can fail to support dynamic VN routing (depending on the implementation), and compares IIPtran ...

8. References

... Hamzeh, K., "Ascend Tunnel Management Protocol - ATMP", RFC 2107, February 1997. ...

9. Appendix A. Encapsulation/Decapsulation Issues

... IANA [2]. The use of IPIP inside an IPsec transport packet can be confused with IPsec tunnel mode, because IPsec does not specify any limits on the types of IP packets ...

... Given identical keys, a packet created by IPIP tunnel encapsulation combined with IPsec transport mode ...

... encapsulation combined with IPsec transport mode and an IPsec tunnel mode packet look identical on the wire. Thus, when an IPsec'ed packet arrives ...

... whether the packet was created using IPsec tunnel mode or IPsec transport mode of an IPIP encapsulated packet. In both cases, the ...

... IPsec requires the SA matching a received packet to indicate whether to apply tunnel mode or transport mode. ...

... payload of protocol type 4. If the SAD indicates that a tunnel mode association applies, IPsec ...

... options; wildcard SAD entries ("ANY", or "TUNNEL or TRANSPORT") cannot be supported. ...

A - B - C - D - E - F - G - H - I - K - L - M - N - O - P - R - S - T - U - V - W

Previous | Next

Frontpage | Contents | Keywords

RFC-Ref.org

Sister Sites

Chess-Ref.org
Law-Ref.org
InChI.info
Zvon.org