[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: IPSEC tunnels for LAN-to-LAN interop issue

To: Lars Eggert <larse@ISI.EDU>
Subject: RE: IPSEC tunnels for LAN-to-LAN interop issue
From: Stephen Kent <kent@bbn.com>
Date: Thu, 26 Aug 1999 16:49:59 -0400
Cc: ipsec@lists.tislabs.com
In-Reply-To: <14277.40812.742669.102648@dee-e.isi.edu>
References: <v04020a05b3eb4ba99d44@[128.89.0.110]><4D0A23B3F74DD111ACCD00805F31D81014515879@RED-MSG-50><v04020a05b3eb4ba99d44@[128.89.0.110]>
Sender: owner-ipsec@lists.tislabs.com

Lars,

>  >> Can the remote end distinguish if a tunneled IPsec packet was created by
>  >> IPIP encapsulation + IPsec transport mode or IPsec tunnel mode? In either
>  >> case, the incoming SA will have to match on the outer header.
>
>  stephen> Yes, the outer header will be the same in either case, but
>  stephen> transport mode calls for matching SA selectors aginst the outer IP
>  stephen> header and the immdeiately following transport header (if port
>  stephen> selectors are employed), whereas tunnel mode calls for matching the
>  stephen> selectors against the inner IP and transport headers.  Thus the
>  stephen> processing si different for each case.
>
>That was my understanding for the sending side when an outgoing packet is
>tunneled. However, on the incoming side, the SA selectors must match against
>the outer header, because inner header and transport layer may be
>encrypted. Or am I missing something? If this is correct, I still think there
>is an ambiguity as to who is responsible for decapsulation.
>
Yes, you are missing something, but it's a subtle issue that has prompted
similar messages on this list in the past.

For inbound processing, one selects the right SA NOT based on selectors,
but based on the dest IP address, the SPI, and the security protocol type
(AH or ESP).  Then one checks the processed packet against the selectors.
To answer the question of which set of headers one uses in the checks, one
must know whether the SA is for tunnel or transport mode, which is a part
of the SAD, as per 2401.  It is true that the port fields might not be
accessible in the processed packet, e.g., if there is another layer of
IPsec employed, and that's OK IF the SPD specifies these values as OPAQUE.
Finally, after the selector comparison is done, it is also necessary to
ensure that all of the required processing has been performed, by reference
to the SPD or equivalent.  Thus, for example, if the SPD called for this
data stream to have both AH and ESP applied, one needs to ensure that both
headers were present and processed, otherwise an attacker could strip off
the AH and cause us to accept packets that did not meet all of the security
criteria established for a given data stream.

Hope this clarifies the wonderful world of inbound IPsec processing.

Steve

References:

RE: IPSEC tunnels for LAN-to-LAN interop issue

From: Stephen Kent <kent@bbn.com>

RE: IPSEC tunnels for LAN-to-LAN interop issue

From: Richard Draves <richdr@microsoft.com>

RE: IPSEC tunnels for LAN-to-LAN interop issue

From: Lars Eggert <larse@ISI.EDU>

Prev by Date: RE: IPSEC tunnels for LAN-to-LAN interop issue
Next by Date: Re: IPSEC tunnels for LAN-to-LAN interop issue
Prev by thread: RE: IPSEC tunnels for LAN-to-LAN interop issue
Next by thread: Re: IPSEC tunnels for LAN-to-LAN interop issue
Index(es):
- Main
- Thread