tunnel mode
Click on the red underlined text to get to the source
... IP security architecture (IPsec) consists of two modes, transport
mode and tunnel mode [1]. Transport mode is allowed between two end
...
... Transport mode is allowed between two end
hosts only; tunnel mode is required when at least one of the
endpoints is a "security gateway ...
... VN. It describes how virtual links established
by IPsec tunnel mode can conflict with routing and forwarding inside
the VN ...
... topology of an IPsec VPN commonly consists of IPsec tunnel mode
virtual links, as required by the IPsec architecture ...
... 1].
However, this current required use of IPsec tunnel mode can be
incompatible with dynamic routing [3 ...
... The next section provides a short overview on IPsec transport and
tunnel mode processing, as far as it is relevant for the
understanding of the problem scenarios that follow. The following
sections discuss routing ...
... IP header and the payload; tunnel mode adds an additional IP header
before performing similar operations. This section gives a short
...
... IPsec then secures. This has been described [1] as "a
tunnel mode SA is essentially a [transport mode] SA applied to an IP
tunnel ...
... as described in the remainder of this section.
In IPsec tunnel mode, the IP header of the original outbound packet
together with its payload ...
... IPsec SA, as for transport mode. However, a tunnel mode SA also
contains encapsulation information, including the source and
...
... (Figure 2, arrows).
Outbound Packet (IPsec Tunnel Mode)
+==================+==============+-----------------+---------+
| Tunnel ...
... IP Encapsulation
Figure 2: Outbound Packet Construction under IPsec Tunnel Mode
When receiving ...
... VPN topology with virtual links established by IPsec
tunnel mode SAs, as would be required for compliance with [1]. Such
...
... Two problems arise; one is forwarding of VN traffic over IPsec tunnel
mode links, the other is source address selection on VN ...
... destination IP address and
the contents of the forwarding table. However, the IPsec
architecture does not define if and how tunnel mode SAs are
represented in the forwarding table.
...
... exist in the forwarding table.
There are two common implementation scenarios for tunnel mode SAs:
One is based on firewall-like packet matching operations where tunnel
mode SAs ...
... tunnel mode SAs:
One is based on firewall-like packet matching operations where tunnel
mode SAs are not virtual interfaces, another is tunnel-based, and
...
... interfaces, another is tunnel-based, and
treats a tunnel mode SA as a virtual interface. The current IPsec
architecture does not mandate one or the other.
...
... IPsec
architecture does not mandate one or the other.
Under the first approach, the presence of IPsec tunnel mode SAs is
invisible to the IP forwarding ...
... SA lookup determines which virtual link the
packet will be forwarded over, because the tunnel mode SA includes
encapsulation information. This lookup ...
... encapsulation information. This lookup and the subsequent tunnel
mode processing both ignore the contents of the existing IP
forwarding table, whether static or dynamic routing are used. This
...
... IP
forwarding table, whether static or dynamic routing are used. This
type of tunnel mode processing is thus incompatible with dynamically
routed VPNs.
...
... VPNs.
The second approach - requiring tunnel mode SAs to be interfaces -
can be compatible with dynamically routed VPNs ...
... connects to at least two VNs.) The IPsec specification currently does
not define how tunnel mode SAs integrate with source address
selection.
...
... IIPtran - for the two
issues identified above. IIPtran replaces IPsec tunnel mode with a
combination of IPIP tunnel interfaces ...
... use of IPsec
transport mode and IPsec tunnel mode (host-to-host communication for
the former, and all transit communication for the latter). IIPtran ...
... 1].
As a result, replacing IPsec tunnel mode with IPIP tunnel devices and
IPsec transport mode ...
... IPsec header is based on the outer IP header,
whereas under IPsec tunnel mode processing, the IPsec header depends
on the contents of the inner IP header ...
... VPN packet (Figure 5) on the wire cannot be
distinguished from a VPN packet generated by IPsec tunnel mode
processing (Figure 2); and the two methods inter-operate, given
...
... A detailed discussion of the differences between IIPtran, IPsec
tunnel mode, and other proposed mechanisms follows in Section 4. The
remainder of this section will describe how IIPtran combines IPIP
tunnel devices ...
...
Section 2.3 described how IP forwarding over IPsec tunnel mode SAs
breaks, because tunnel mode SAs ...
... IPsec tunnel mode SAs
breaks, because tunnel mode SAs are not required to be network
interfaces. IIPtran uses RFC 2003prop ...
... 2] for VN links, instead of IPsec
tunnel mode SAs, allows existing multihoming solutions for source
address ...
...
In the first alternative, each IPsec tunnel mode SA is required to
act as a full-fledged network interface ...
... selection rules, but requires extensions to the IPsec architecture
that define tunnel mode SA interfaces and their associated management
...
... A second alternative is the addition of an extra forwarding lookup
before IPsec tunnel mode processing. This forwarding lookup will
return a "virtual interface ...
... outbound interface of the final encapsulated tunnel mode packet,
i.e., usually a physical interface in the base network ...
... i.e., usually a physical interface in the base network. The tunnel
mode SA lookup following the forwarding lookup will occur in the
...
... SA interface. This solution seems to be equivalent
to the one described above (Section 4.1.1), i.e., all tunnel mode SAs
must be interfaces, and is not discussed separately below.
...
... However, because the current IPsec architecture does not require
tunnel mode SAs to behave similarly to interfaces (some implementers
...
... alternative 1 requires extensions to the current IPsec architecture
that define the exact behavior of tunnel mode SAs. The proposed
solution does not require any such changes to IPsec, and for tunnels ...
... Internet standards. It is also
not clear how tunnel mode SAs that specify port selectors would
operate under this scheme, since IP routing ...
... lookup before IPsec processing is irrelevant, because
IPsec tunnel mode SAs are not represented as interfaces, and thus
...
... gateway would not
help, because the SAD is not indexed by tunnel mode SA encapsulation
destination IP address ...
... IPIP encapsulation for VN links. Tunnel mode IPsec thus
becomes unnecessary and can potentially be removed ...
... SADs as a
component of IPsec. When tunnel mode SAs themselves act as
interfaces, the function of per-interface ...
... SA would not cause
encapsulation), and thus lead to processing loops. Multiple tunnel
mode SAs are prohibited, because dynamic routing algorithms construct
...
... tunnels directly, and combines them with transport mode processing.
By eliminating the use of tunnel mode, it removes the need for
additional constraints ...
... IIPtran decrypt
and/or authenticate the packet with the same techniques. IPsec
tunnel mode decapsulates and decrypts the packet in a single step,
followed by a policy check of the inner packet ...
... inner packet and its payload
against the respective IPsec tunnel mode SA. IIPtran uses IPsec
transport mode ...
... and its payload using firewall mechanisms, similar to IPsec tunnel
mode processing.
The primary difference between the two is that IPsec tunnel mode ...
... IPsec tunnel
mode processing.
The primary difference between the two is that IPsec tunnel mode does
not require a separate processing step for validating packets; once
IPsec ...
... IPsec selectors under IIPtran can express the same set
of policies as conventional IPsec tunnel mode.
Note that in both cases, these policy enforcement rules violate
...
... routing.
In this example, A has IPsec tunnel mode SAs to B and C. If the
selectors for the virtual source and destination IP addresses ...
... expected. A consequence might be that IIPtran - even without
extensions to support the full expressiveness of tunnel mode SA
selectors as described above - can still support the majority of VPN
...
... also acts as a tunnel management protocol (when IPsec tunnel mode SAs
are configured), and negotiates security policies ...
... IKE with IIPtran is to negotiate a
tunnel mode SA, and then treat it as a transport mode SA against an
...
...
However, since IIPtran eliminates IPsec tunnel mode, it could also
simplify IKE, by limiting it to its original purpose of key exchange ...
... IPsec to secure its links. It illustrates how current use of
IPsec tunnel mode can fail to support dynamic VN routing (depending
on the implementation), and compares IIPtran ...
... IANA [2]. The use of IPIP inside an IPsec
transport packet can be confused with IPsec tunnel mode, because
IPsec does not specify any limits on the types of IP packets ...
... encapsulation
combined with IPsec transport mode and an IPsec tunnel mode packet
look identical on the wire. Thus, when an IPsec'ed packet arrives
...
... whether the packet was created using IPsec tunnel mode or IPsec
transport mode of an IPIP encapsulated packet. In both cases, the
...
... IPsec requires the
SA matching a received packet to indicate whether to apply tunnel
mode or transport mode.
...
... payload of protocol
type 4. If the SAD indicates that a tunnel mode association applies,
IPsec ...