[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Transport / Tunnel Mode

To: "'akshay'" <akshay@chiplogic.com>
Subject: RE: Transport / Tunnel Mode
From: "Awan Kumar Sharma" <awank@future.futsoft.com>
Date: Wed, 29 Nov 2000 15:01:27 +0530
Cc: "IpsecMailingList (E-mail)" <ipsec@lists.tislabs.com>
Importance: Normal
In-Reply-To: <01c05950$57ab6540$4302a8c0@akshay>
Reply-To: <awank@future.futsoft.com>
Sender: owner-ipsec@lists.tislabs.com

Hi,

First of all I would like to correct you for your question. Whatever has been mentioned by you is in RFC 2401 and not 2402 as you have mentioned and under section 4.1.

Now taking up your question, let us take this topology. PC1 is a host in Network 1 with GW1 as the Security Gateway. The Network (Network 1) is also reachable through R1. Similarly, PC2 is a host in Network 2 with GW2 as the Security Gateway. The Network (Network 2) is also reachable through R2.

Now when PC2 sends a packet to PC1, which has to be protected by IPSec, GW2 (security GW for Network 2) will provide the IPSec security. If it is using Transport mode SA, then the packet will look like [IP][IPSEC Header][ULP]. ( This is with reference to RFC 2401 only ) Note that the IP contains the IP address of PC2 as source address and PC1 as the destination address. This packet has to be routed to Network 1. Network 1 is reachable through GW1 and R1. Due to the routing decisions, if the packet is routed through R1 ( Note that R1 is not the security gateway for PC1), seeing the address as PC1, R1 will forward the packet to PC1, which is not at all capable to understanding the IPSec protected packets.

To avoid this type of situation, if the packets are tunneled, after IPSec processing by GW2, packet will look like

[IPo][IPSec][IPi][ULP], where IPo is the outer IP header containing GW1 as the destination and GW2 as the source. This makes sure that the packet will reach GW1, so that it can provide the necessary IPSec processing and forward the packet to PC1.

Any comments regarding this is most welcome.

Regards,

Awan.

-----Original Message-----
From: owner-ipsec@lists.tislabs.com [mailto:owner-ipsec@lists.tislabs.com]On Behalf Of akshay
Sent: Tuesday, November 28, 2000 9:02 PM
To: ipsec@lists.tislabs.com
Subject: Transport / Tunnel Mode

Hi
As per RFC 2402 under 1 i.e. definition and scope

" The requirement for any (transit traffic) SA involving a
security gateway to be a tunnel SA arises due to the need to avoid
potential problems with regard to fragmentation and reassembly of
IPsec packets, and in circumstances where multiple paths (e.g., via
different security gateways) exist to the same destination behind the
security gateways. "

Can any one please explain , How we can avoid fragmentation / ressembly in
tunnel mode and why it is not possible in transport mode .

WHY IN SECURITY GATEWAY IT IS REQUIRED TO USE TUNNEL
MODE ONLY ??

Cheers
Akshay

Follow-Ups:

RE: Transport / Tunnel Mode

From: "Andrew Krywaniuk" <andrew.krywaniuk@alcatel.com>

References:

Transport / Tunnel Mode

From: "akshay" <akshay@chiplogic.com>

Prev by Date: Re: On transport-level policy enforcement (was Re: RFC 2401...)
Next by Date: Re: On transport-level policy enforcement (was Re: RFC 2401...)
Prev by thread: Transport / Tunnel Mode
Next by thread: RE: Transport / Tunnel Mode
Index(es):
- Main
- Thread