Use of IPsec Transport Mode for Dynamic Routing
RFC 3884

Document Type RFC - Informational (September 2004; No errata)
Last updated 2013-07-31
Stream ISE
Formats plain text pdf html
Stream ISE state (None)
Document shepherd No shepherd assigned
IESG IESG state RFC 3884 (Informational)
Telechat date
Responsible AD Russ Housley
Send notices to <touch@isi.edu>, <yushunwa@isi.edu>
Network Working Group                                           J. Touch
Request for Comments: 3884                                           ISI
Category: Informational                                        L. Eggert
                                                                     NEC
                                                                 Y. Wang
                                                                     ISI
                                                          September 2004

            Use of IPsec Transport Mode for Dynamic Routing

Status of this Memo

   This memo provides information for the Internet community.  It does
   not specify an Internet standard of any kind.  Distribution of this
   memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (2004).

IESG Note

   This document is not a candidate for any level of Internet Standard.
   The IETF disclaims any knowledge of the fitness of this document for
   any purpose, and in particular notes that it has not had IETF review
   for such things as security, congestion control or inappropriate
   interaction with deployed protocols.  The RFC Editor has chosen to
   publish this document at its discretion.  Readers of this document
   should exercise caution in evaluating its value for implementation
   and deployment.

Abstract

   IPsec can secure the links of a multihop network to protect
   communication between trusted components, e.g., for a secure virtual
   network (VN), overlay, or virtual private network (VPN). Virtual
   links established by IPsec tunnel mode can conflict with routing and
   forwarding inside VNs because IP routing depends on references to
   interfaces and next-hop IP addresses. The IPsec tunnel mode
   specification is ambiguous on this issue, so even compliant
   implementations cannot be trusted to avoid conflicts.  An alternative
   to tunnel mode uses non-IPsec IPIP encapsulation together with IPsec
   transport mode, which we call IIPtran.  IPIP encapsulation occurs as
   a separate initial step, as the result of a forwarding lookup of the
   VN packet. IPsec transport mode processes the resulting (tunneled) IP
   packet with an SA determined through a security association database
   (SAD) match on the tunnel header.  IIPtran supports dynamic routing

Touch, et al.                Informational                      [Page 1]
RFC 3884        IPsec Transport Mode for Dynamic Routing  September 2004

   inside the VN without changes to the current IPsec architecture.
   IIPtran demonstrates how to configure any compliant IPsec
   implementation to avoid the aforementioned conflicts.  IIPtran is
   also compared to several alternative mechanisms for VN routing and
   their respective impact on IPsec, routing, policy enforcement, and
   interactions with the Internet Key Exchange (IKE).

Table of Contents

   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
       1.2.  Document History . . . . . . . . . . . . . . . . . . . .  3
   2.  Problem Description. . . . . . . . . . . . . . . . . . . . . .  4
       2.1.  IPsec Overview . . . . . . . . . . . . . . . . . . . . .  5
       2.2.  Forwarding Example . . . . . . . . . . . . . . . . . . .  6
       2.3.  Problem 1: Forwarding Issues . . . . . . . . . . . . . .  7
       2.4.  Problem 2: Source Address Selection  . . . . . . . . . .  8
   3.  IIPtran: IPIP Tunnel Devices + IPsec Transport Mode  . . . . .  9
       3.1.  IIPtran Details  . . . . . . . . . . . . . . . . . . . . 10
       3.2.  Solving Problem 1: Forwarding Issues . . . . . . . . . . 11
       3.3.  Solving Problem 2: Source Address Selection  . . . . . . 12
   4.  Comparison . . . . . . . . . . . . . . . . . . . . . . . . . . 12
       4.1.  Other Proposed Solutions . . . . . . . . . . . . . . . . 12
             4.1.1.  Alternative 1: IPsec with Interface SAs. . . . . 13
             4.1.2.  Alternative 2: IPsec with Initial
                     Forwarding Lookup. . . . . . . . . . . . . . . . 13
             4.1.3.  Alternative 3: IPsec with Integrated
                     Forwarding . . . . . . . . . . . . . . . . . . . 14
       4.2.  Discussion . . . . . . . . . . . . . . . . . . . . . . . 14
             4.2.1.  VN Routing Support and Complexity  . . . . . . . 14
             4.2.2.  Impact on the IPsec Architecture . . . . . . . . 15
             4.2.3.  Policy Enforcement and Selectors . . . . . . . . 16
             4.2.4.  IKE Impact . . . . . . . . . . . . . . . . . . . 19
   5.  Security Considerations  . . . . . . . . . . . . . . . . . . . 19
   6.  Summary and Recommendations  . . . . . . . . . . . . . . . . . 20
   7.  Acknowledgments  . . . . . . . . . . . . . . . . . . . . . . . 20
   8.  References . . . . . . . . . . . . . . . . . . . . . . . . . . 20
       8.1.  Normative References . . . . . . . . . . . . . . . . . . 20
Show full document text