[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
2401bis Issue #73 -- IP Option & Ext Hdr handling in Tunnel Mode
Folks,
Here's a description and proposed approach for:
IPsec Issue #: 73
Title: IP Option & Ext Hdr handling in Tunnel Mode
Description:
============
For tunnel mode, there were some questions as to how to handle the IP
options field and IPv6 extension headers in the outer header, e.g.,
does the IPsec code construct the options in the outer header. 2401
currently describes the IP option and extension header handling in
tunnel mode as follows.
IPv4 -- Header Construction for Tunnel Mode
<- How Outer Hdr Relates to Inner Hdr ->
Outer Hdr at Inner Hdr at
IPv4 Encapsulator Decapsulator
Header fields: -------------------- ------------
version 4 (1) no change
header length constructed no change
TOS copied from inner hdr (5) no change
total length constructed no change
ID constructed no change
flags (DF,MF) constructed, DF (4) no change
fragmt offset constructed no change
TTL constructed (2) decrement (2)
protocol AH, ESP, routing hdr no change
checksum constructed constructed (2)
src address constructed (3) no change
dest address constructed (3) no change
Options never copied no change
IPv6 -- Header Construction for Tunnel Mode
<- How Outer Hdr Relates Inner Hdr ->
Outer Hdr at Inner Hdr at
IPv6 Encapsulator Decapsulator
Header fields: -------------------- ------------
version 6 (1) no change
class copied or configured (6) no change
flow id copied or configured no change
len constructed no change
next header AH,ESP,routing hdr no change
hop limit constructed (2) decrement (2)
src address constructed (3) no change
dest address constructed (3) no change
Extension headers never copied no change
NOTE: In Issue #57 "ECN support", it was proposed that for the two
tables above, the entries for "TOS" and "class" be modified as shown
below to (a) conform to the replacement of TOS and of class by DS
(aka DSCP) and ECN, and (b) to conform with David Black's ID "IKEv2:
ECN Requirements for IPsec Tunnels".
<- How Outer Hdr Relates to Inner Hdr ->
Outer Hdr at Inner Hdr at
IPv4 Encapsulator Decapsulator
Header fields: -------------------- ------------
DS Field copied from inner hdr (5) no change
ECN Field copied from inner hdr constructed (7)
IPv6
Header fields:
DS Field copied from inner hdr (6) no change
ECN Field copied from inner hdr constructed (7)
(5)(6) If the packet will immediately enter a domain
for which the DSCP value in the outer header is not
appropriate, that value MUST be mapped to an appropriate
value for the domain [RFC 2474]. See [RFC 2475] for
further information.
(7) If the ECN field in the inner header is set to
ECT(0) or ECT(1) and the ECN field in the outer header
is set to CE, then set the ECN field in the inner header
to CE, otherwise make no change to the ECN field in the
inner header.
Proposed approach:
==================
1. Add text to the sections on "IPv4 -- Header Construction for
Tunnel Mode" along the lines of...
"IPsec does not copy the options from the inner header into the outer
header, and IPsec does not construct the options in the outer header.
However, post-IPsec code MAY insert/construct options for the outer
header."
2. Add text to the sections on "IPv6 -- Header Construction for
Tunnel Mode" along the lines of...
"IPsec does not copy the extension headers from the inner header into
the outer header, and IPsec does not construct the extension headers
in the outer header. However, post-IPsec code MAY insert/construct
extension headers for the outer header."
Thank you,
Karen