Browse Prior Art Database

Use of IPsec Transport Mode for Dynamic Routing (RFC3884)

IP.com Disclosure Number: IPCOM000031435D
Original Publication Date: 2004-Sep-01
Included in the Prior Art Database: 2004-Sep-25
Document File: 26 page(s) / 59K

Publishing Venue

Internet Society Requests For Comment (RFCs)

Related People

J. Touch: AUTHOR [+3]

Abstract

IPsec can secure the links of a multihop network to protect communication between trusted components, e.g., for a secure virtual network (VN), overlay, or virtual private network (VPN). Virtual links established by IPsec tunnel mode can conflict with routing and forwarding inside VNs because IP routing depends on references to interfaces and next-hop IP addresses. The IPsec tunnel mode specification is ambiguous on this issue, so even compliant implementations cannot be trusted to avoid conflicts. An alternative to tunnel mode uses non-IPsec IPIP encapsulation together with IPsec transport mode, which we call IIPtran. IPIP encapsulation occurs as a separate initial step, as the result of a forwarding lookup of the VN packet. IPsec transport mode processes the resulting (tunneled) IP packet with an SA determined through a security association database (SAD) match on the tunnel header. IIPtran supports dynamic routing

This text was extracted from an ASCII text file.
This is the abbreviated version, containing approximately 5% of the total text.

Network Working Group                                           J. Touch

Request for Comments: 3884                                           ISI

Category: Informational                                        L. Eggert

                                                                     NEC

                                                                 Y. Wang

                                                                     ISI

                                                          September 2004

            Use of IPsec Transport Mode for Dynamic Routing

Status of this Memo

   This memo provides information for the Internet community.  It does

   not specify an Internet standard of any kind.  Distribution of this

   memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (2004).

IESG Note

   This document is not a candidate for any level of Internet Standard.

   The IETF disclaims any knowledge of the fitness of this document for

   any purpose, and in particular notes that it has not had IETF review

   for such things as security, congestion control or inappropriate

   interaction with deployed protocols.  The RFC Editor has chosen to

   publish this document at its discretion.  Readers of this document

   should exercise caution in evaluating its value for implementation

   and deployment.

Abstract

   IPsec can secure the links of a multihop network to protect

   communication between trusted components, e.g., for a secure virtual

   network (VN), overlay, or virtual private network (VPN). Virtual

   links established by IPsec tunnel mode can conflict with routing and

   forwarding inside VNs because IP routing depends on references to

   interfaces and next-hop IP addresses. The IPsec tunnel mode

   specification is ambiguous on this issue, so even compliant

   implementations cannot be trusted to avoid conflicts.  An alternative

   to tunnel mode uses non-IPsec IPIP encapsulation together with IPsec

   transport mode, which we call IIPtran.  IPIP encapsulation occurs as

   a separate initial step, as the result of a forwarding lookup of the

   VN packet. IPsec transport mode processes the resulting (tunneled) IP

   packet with an SA determined through a security association database

   (SAD) match on the tunnel header.  IIPtran supports dynamic routing

Touch, et al.                Informational                      [Page 1]

RFC 3884        IPsec Transport Mode for Dynamic Routing  September 2004

   inside the VN without chan...