Re: IPSEC tunnels for LAN-to-LAN interop issue

[Dan Harkins <dharkins@network-alchemy.com>]

On Thu, 26 Aug 1999 13:11:24 PDT you wrote
> 
>   >> Can the remote end distinguish if a tunneled IPsec packet was created by
>   >> IPIP encapsulation + IPsec transport mode or IPsec tunnel mode? In eithe
>r
>   >> case, the incoming SA will have to match on the outer header.
> 
>   stephen> Yes, the outer header will be the same in either case, but
>   stephen> transport mode calls for matching SA selectors aginst the outer IP
>   stephen> header and the immdeiately following transport header (if port
>   stephen> selectors are employed), whereas tunnel mode calls for matching th
>e
>   stephen> selectors against the inner IP and transport headers.  Thus the
>   stephen> processing si different for each case.
> 
> That was my understanding for the sending side when an outgoing packet is
> tunneled. However, on the incoming side, the SA selectors must match against
> the outer header, because inner header and transport layer may be
> encrypted. Or am I missing something? If this is correct, I still think there
> is an ambiguity as to who is responsible for decapsulation.

The selectors don't apply at that stage on the inbound side. The SA is 
looked up against the SPI, protocol (which would be 4), and destination
address in the outer header. After decryption/decapsulation the receiver
would make sure that the selector which was used in creation of the SA
matches the decapsulated packet. 

There is no ambiguity for the receiver because the SAs are negotiated
differently. After decapsulation of a tunnel mode protected packet or 
reconstruction of a transport mode protected packet the particular selector
is applied. If it's a transport mode SA then that packet better be protocol
4 or you're supposed to drop it. If it's a tunnel mode SA then that packet
better match the selector or you're supposed to drop it.

Which brings up a problem in doing transport mode protected IPinIP. The 
selector would be for protocol 4 between the two boxes which means that 
_anything_ could be put into those tunnels. In tunnel mode the selector 
would be for whatever protocol in contained in the inner packet-- say, 
UDP port 520-- and then only that could be extracted from the tunnel.

  Dan.

---

Follow-Ups:

• Re: IPSEC tunnels for LAN-to-LAN interop issue
• From: Dan McDonald <danmcd@Eng.Sun.Com>
• Re: IPSEC tunnels for LAN-to-LAN interop issue
• From: Dan Harkins <dharkins@network-alchemy.com>

References:

• RE: IPSEC tunnels for LAN-to-LAN interop issue
• From: Lars Eggert <larse@ISI.EDU>

---

• Prev by Date: RE: IPSEC tunnels for LAN-to-LAN interop issue
• Next by Date: RE: IPSEC tunnels for LAN-to-LAN interop issue
• Prev by thread: RE: IPSEC tunnels for LAN-to-LAN interop issue
• Next by thread: Re: IPSEC tunnels for LAN-to-LAN interop issue
• Index(es):
  • Main
  • Thread