[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Selectors and Transport Layer Protocol

To: msa@hemuli.tte.vtt.fi
Subject: Re: Selectors and Transport Layer Protocol
From: suresh@livingston.com (Pyda Srisuresh)
Date: Mon, 28 Dec 1998 08:00:44 -0800 (PST)
Cc: ipsec@tis.com
In-Reply-To: <199812151500.RAA11145@anise.tte.vtt.fi> from "Markku Savela" at Dec 15, 98 05:00:14 pm
Sender: owner-ipsec@ex.tis.com


"Is IPIP a transport protocol?" is a good queston - Certainly one 
that many firewall vendors grapple with.  

Unlike other protocols in the transport category (such as TCP, UDP, 
AH and ESP), IPIP does not have a header of its own and certainly does 
not have a multiplexing handle on top of IP. Clearly, IPIP is a network 
layer redirection technique and as such, an exception amongst transport 
protocols.

Different firewall vendors deal with IPIP differently with regard to 
applying firewall policies. As for IPsec, RFC 2401 quote below seems to 
imply that IPIP should not be perceived as a "true" transport protocol 
and that it should be circumvented.  Makes sense to me. 

cheers,
suresh

> 
> Reading the documetation non-sequentially, as happens when one
> implements things and needs to check on one issue here and there, I
> happened on Architecture (RFC 2401), page 17
> 
>  NOTE: To locate the transport protocol, a system has to chain
>  through the packet headers checking the "Protocol" or "Next
>  Header" field until it encounters either one it recognizes as
>  a transport protocol, or until it reaches one that isn't on
>  its list of extension headers, or until it encounters an ESP
>  header that renders the transport protocol opaque.
> 
> The questions arise
> 
> - why not just define it as a check on topmost protocol (in next
>   header), forget the loop? If I don't wan't any funny wrapping and
>   tunneling protocols pass, my policy explicitly allows only known
>   protocols (or a separate firewall does). The "topmost" protocol is
>   known even for the fragments.
> 
> - what is transport protocol anyway? Only UDP or TCP? What if I want
>   to have selector specifically for IPIP or ESP or AH? (e.g. for
>   example, for some odd reason, gateway policy might be to do only AH
>   for packets that already have ESP). Or, if I wanted to do some kinky
>   IPSEC with fragmented packets?
> 
> This just caught my "fuzzy detector" while reading it, at least with
> IPv4. "Test the topmost" would remove the fuzzy feeling...
> 
> Perhaps it makes more sense with IPv6, but then the wording should be
> "skipping non-protocol extension headers" or somesuch? (I don't know
> IPv6 well enough at this point).
> 
> --
> Some additional discussion..
> 
> 	If my policy says to use a specific security bundle for TCP,
> 	do I really intend the same bundle to apply when someone wraps
> 	TCP inside a IPIP tunnel? (Moot question, if IPIP is transport
> 	protocol).
> 
> -- 
> Markku Savela (msa@hemuli.tte.vtt.fi), Technical Research Centre of Finland
> Multimedia Systems, P.O.Box 1203,FIN-02044 VTT,http://www.vtt.fi/tte/staff/msa/
>

References:

Selectors and Transport Layer Protocol

From: Markku Savela <msa@anise.tte.vtt.fi>

Prev by Date: Re: Elliptic Curve Performance in IPsec
Next by Date: Basic IKE authentication question
Prev by thread: Selectors and Transport Layer Protocol
Next by thread: Inter-Op sites
Index(es):
- Main
- Thread