RE: Transport / Tunnel Mode

["Andrew Krywaniuk" <andrew.krywaniuk@alcatel.com>]

And isn't there also the issue that you couldn't use ESP authentication with
sgw-sgw or host-sgw transport mode? AH would again become mandatory in order
to protect the outer (and only) header.

Andrew
--------------------------------------
Beauty with out truth is insubstantial.
Truth without beauty is unbearable.

-----Original Message-----
From: owner-ipsec@lists.tislabs.com [mailto:owner-ipsec@lists.tislabs.com]On
Behalf Of Awan Kumar Sharma
Sent: Wednesday, November 29, 2000 4:31 AM
To: 'akshay'
Cc: IpsecMailingList (E-mail)
Subject: RE: Transport / Tunnel Mode


Hi,
First of all I would like to correct you for your question. Whatever has
been mentioned by you is in RFC 2401 and not 2402 as you have mentioned and
under section 4.1.

Now taking up your question, let us take this topology. PC1 is a host in
Network 1 with GW1 as the Security Gateway. The Network (Network 1) is also
reachable through R1. Similarly, PC2 is a host in Network 2 with GW2 as the
Security Gateway. The Network (Network 2) is also reachable through R2.

Now when PC2 sends a packet to PC1, which has to be protected by IPSec, GW2
(security GW for Network 2) will provide the IPSec security. If it is using
Transport mode SA, then the packet will look like [IP][IPSEC Header][ULP].
 This is with reference to RFC 2401 only ) Note that the IP contains the IP
address of PC2 as source address and PC1 as the destination address. This
packet has to be routed to Network 1. Network 1 is reachable through GW1 and
R1. Due to the routing decisions, if the packet is routed through R1 ( Note
that R1 is not the security gateway for PC1), seeing the address as PC1, R1
will forward the packet to PC1, which is not at all capable to understanding
the IPSec protected packets.

To avoid this type of situation, if the packets are tunneled, after IPSec
processing by GW2, packet will look like
        [IPo][IPSec][IPi][ULP], where IPo is the outer IP header containing
GW1 as the destination and GW2 as the source. This makes sure that the
packet will reach GW1, so that it can provide the necessary IPSec processing
and forward the packet to PC1.

Any comments regarding this is most welcome.

Regards,
Awan.




-----Original Message-----
From: owner-ipsec@lists.tislabs.com [mailto:owner-ipsec@lists.tislabs.com]On
Behalf Of akshay
Sent: Tuesday, November 28, 2000 9:02 PM
To: ipsec@lists.tislabs.com
Subject: Transport / Tunnel Mode



Hi
As per RFC 2402 under 1 i.e. definition and scope

" The requirement for any (transit traffic) SA involving a
security gateway to be a tunnel SA arises due to the need to avoid
potential problems with regard to fragmentation and reassembly of
IPsec packets, and in circumstances where multiple paths (e.g., via
different security gateways) exist to the same destination behind the
security gateways. "

Can any one please explain , How we can avoid fragmentation / ressembly in
tunnel mode and why it is not possible in transport mode .
WHY IN SECURITY GATEWAY IT IS REQUIRED TO USE TUNNEL
MODE ONLY ??

Cheers
Akshay

---

Follow-Ups:

• RE: Transport / Tunnel Mode
• From: Henry Spencer <henry@spsystems.net>

References:

• RE: Transport / Tunnel Mode
• From: "Awan Kumar Sharma" <awank@future.futsoft.com>

---

• Prev by Date: RE: RFC 2401 section 5.2.1
• Next by Date: RE: Transport / Tunnel Mode
• Prev by thread: RE: Transport / Tunnel Mode
• Next by thread: RE: Transport / Tunnel Mode
• Index(es):
  • Main
  • Thread