Use of IPsec Transport Mode for Dynamic Routing
RFC 3884
Document | Type |
RFC - Informational
(September 2004; No errata)
Was draft-touch-ipsec-vpn (sec)
|
|
---|---|---|---|
Authors | Yu-Shun Wang , Lars Eggert , Joseph Touch | ||
Last updated | 2015-10-14 | ||
Stream | ISE | ||
Formats | plain text html pdf htmlized bibtex | ||
Stream | ISE state | (None) | |
Consensus Boilerplate | Unknown | ||
Document shepherd | No shepherd assigned | ||
IESG | IESG state | RFC 3884 (Informational) | |
Action Holders |
(None)
|
||
Telechat date | |||
Responsible AD | Russ Housley | ||
Send notices to | (None) |
Network Working Group J. Touch Request for Comments: 3884 ISI Category: Informational L. Eggert NEC Y. Wang ISI September 2004 Use of IPsec Transport Mode for Dynamic Routing Status of this Memo This memo provides information for the Internet community. It does not specify an Internet standard of any kind. Distribution of this memo is unlimited. Copyright Notice Copyright (C) The Internet Society (2004). IESG Note This document is not a candidate for any level of Internet Standard. The IETF disclaims any knowledge of the fitness of this document for any purpose, and in particular notes that it has not had IETF review for such things as security, congestion control or inappropriate interaction with deployed protocols. The RFC Editor has chosen to publish this document at its discretion. Readers of this document should exercise caution in evaluating its value for implementation and deployment. Abstract IPsec can secure the links of a multihop network to protect communication between trusted components, e.g., for a secure virtual network (VN), overlay, or virtual private network (VPN). Virtual links established by IPsec tunnel mode can conflict with routing and forwarding inside VNs because IP routing depends on references to interfaces and next-hop IP addresses. The IPsec tunnel mode specification is ambiguous on this issue, so even compliant implementations cannot be trusted to avoid conflicts. An alternative to tunnel mode uses non-IPsec IPIP encapsulation together with IPsec transport mode, which we call IIPtran. IPIP encapsulation occurs as a separate initial step, as the result of a forwarding lookup of the VN packet. IPsec transport mode processes the resulting (tunneled) IP packet with an SA determined through a security association database (SAD) match on the tunnel header. IIPtran supports dynamic routing Touch, et al. Informational [Page 1] RFC 3884 IPsec Transport Mode for Dynamic Routing September 2004 inside the VN without changes to the current IPsec architecture. IIPtran demonstrates how to configure any compliant IPsec implementation to avoid the aforementioned conflicts. IIPtran is also compared to several alternative mechanisms for VN routing and their respective impact on IPsec, routing, policy enforcement, and interactions with the Internet Key Exchange (IKE). Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 1.2. Document History . . . . . . . . . . . . . . . . . . . . 3 2. Problem Description. . . . . . . . . . . . . . . . . . . . . . 4 2.1. IPsec Overview . . . . . . . . . . . . . . . . . . . . . 5 2.2. Forwarding Example . . . . . . . . . . . . . . . . . . . 6 2.3. Problem 1: Forwarding Issues . . . . . . . . . . . . . . 7 2.4. Problem 2: Source Address Selection . . . . . . . . . . 8 3. IIPtran: IPIP Tunnel Devices + IPsec Transport Mode . . . . . 9 3.1. IIPtran Details . . . . . . . . . . . . . . . . . . . . 10 3.2. Solving Problem 1: Forwarding Issues . . . . . . . . . . 11 3.3. Solving Problem 2: Source Address Selection . . . . . . 12 4. Comparison . . . . . . . . . . . . . . . . . . . . . . . . . . 12 4.1. Other Proposed Solutions . . . . . . . . . . . . . . . . 12 4.1.1. Alternative 1: IPsec with Interface SAs. . . . . 13 4.1.2. Alternative 2: IPsec with Initial Forwarding Lookup. . . . . . . . . . . . . . . . 13 4.1.3. Alternative 3: IPsec with Integrated Forwarding . . . . . . . . . . . . . . . . . . . 14 4.2. Discussion . . . . . . . . . . . . . . . . . . . . . . . 14 4.2.1. VN Routing Support and Complexity . . . . . . . 14 4.2.2. Impact on the IPsec Architecture . . . . . . . . 15 4.2.3. Policy Enforcement and Selectors . . . . . . . . 16 4.2.4. IKE Impact . . . . . . . . . . . . . . . . . . . 19 5. Security Considerations . . . . . . . . . . . . . . . . . . . 19 6. Summary and Recommendations . . . . . . . . . . . . . . . . . 20 7. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 20 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 20 8.1. Normative References . . . . . . . . . . . . . . . . . . 20 8.2. Informative References . . . . . . . . . . . . . . . . . 21 A. Encapsulation/Decapsulation Issues . . . . . . . . . . . . . . 22Show full document text