Use of IPsec Transport Mode for Dynamic Routing
RFC 3884
| Document | Type |
RFC - Informational
(September 2004; No errata)
Was draft-touch-ipsec-vpn (sec)
|
|
|---|---|---|---|
| Authors | Yu-Shun Wang , Lars Eggert , Joseph Touch | ||
| Last updated | 2015-10-14 | ||
| Stream | ISE | ||
| Formats | plain text html pdf htmlized bibtex | ||
| Stream | ISE state | (None) | |
| Consensus Boilerplate | Unknown | ||
| Document shepherd | No shepherd assigned | ||
| IESG | IESG state | RFC 3884 (Informational) | |
| Action Holders |
(None)
|
||
| Telechat date | |||
| Responsible AD | Russ Housley | ||
| Send notices to | (None) | ||
Network Working Group J. Touch
Request for Comments: 3884 ISI
Category: Informational L. Eggert
NEC
Y. Wang
ISI
September 2004
Use of IPsec Transport Mode for Dynamic Routing
Status of this Memo
This memo provides information for the Internet community. It does
not specify an Internet standard of any kind. Distribution of this
memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (2004).
IESG Note
This document is not a candidate for any level of Internet Standard.
The IETF disclaims any knowledge of the fitness of this document for
any purpose, and in particular notes that it has not had IETF review
for such things as security, congestion control or inappropriate
interaction with deployed protocols. The RFC Editor has chosen to
publish this document at its discretion. Readers of this document
should exercise caution in evaluating its value for implementation
and deployment.
Abstract
IPsec can secure the links of a multihop network to protect
communication between trusted components, e.g., for a secure virtual
network (VN), overlay, or virtual private network (VPN). Virtual
links established by IPsec tunnel mode can conflict with routing and
forwarding inside VNs because IP routing depends on references to
interfaces and next-hop IP addresses. The IPsec tunnel mode
specification is ambiguous on this issue, so even compliant
implementations cannot be trusted to avoid conflicts. An alternative
to tunnel mode uses non-IPsec IPIP encapsulation together with IPsec
transport mode, which we call IIPtran. IPIP encapsulation occurs as
a separate initial step, as the result of a forwarding lookup of the
VN packet. IPsec transport mode processes the resulting (tunneled) IP
packet with an SA determined through a security association database
(SAD) match on the tunnel header. IIPtran supports dynamic routing
Touch, et al. Informational [Page 1]
RFC 3884 IPsec Transport Mode for Dynamic Routing September 2004
inside the VN without changes to the current IPsec architecture.
IIPtran demonstrates how to configure any compliant IPsec
implementation to avoid the aforementioned conflicts. IIPtran is
also compared to several alternative mechanisms for VN routing and
their respective impact on IPsec, routing, policy enforcement, and
interactions with the Internet Key Exchange (IKE).
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.2. Document History . . . . . . . . . . . . . . . . . . . . 3
2. Problem Description. . . . . . . . . . . . . . . . . . . . . . 4
2.1. IPsec Overview . . . . . . . . . . . . . . . . . . . . . 5
2.2. Forwarding Example . . . . . . . . . . . . . . . . . . . 6
2.3. Problem 1: Forwarding Issues . . . . . . . . . . . . . . 7
2.4. Problem 2: Source Address Selection . . . . . . . . . . 8
3. IIPtran: IPIP Tunnel Devices + IPsec Transport Mode . . . . . 9
3.1. IIPtran Details . . . . . . . . . . . . . . . . . . . . 10
3.2. Solving Problem 1: Forwarding Issues . . . . . . . . . . 11
3.3. Solving Problem 2: Source Address Selection . . . . . . 12
4. Comparison . . . . . . . . . . . . . . . . . . . . . . . . . . 12
4.1. Other Proposed Solutions . . . . . . . . . . . . . . . . 12
4.1.1. Alternative 1: IPsec with Interface SAs. . . . . 13
4.1.2. Alternative 2: IPsec with Initial
Forwarding Lookup. . . . . . . . . . . . . . . . 13
4.1.3. Alternative 3: IPsec with Integrated
Forwarding . . . . . . . . . . . . . . . . . . . 14
4.2. Discussion . . . . . . . . . . . . . . . . . . . . . . . 14
4.2.1. VN Routing Support and Complexity . . . . . . . 14
4.2.2. Impact on the IPsec Architecture . . . . . . . . 15
4.2.3. Policy Enforcement and Selectors . . . . . . . . 16
4.2.4. IKE Impact . . . . . . . . . . . . . . . . . . . 19
5. Security Considerations . . . . . . . . . . . . . . . . . . . 19
6. Summary and Recommendations . . . . . . . . . . . . . . . . . 20
7. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 20
8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 20
8.1. Normative References . . . . . . . . . . . . . . . . . . 20
8.2. Informative References . . . . . . . . . . . . . . . . . 21
A. Encapsulation/Decapsulation Issues . . . . . . . . . . . . . . 22
Show full document text