RFC 4891:Using IPsec to Secure IPv6-in-IPv4 Tunnel...
RFC-Ref

6 - A - B - C - D - E - F - G - H - I - K - L - M - N - O - P - Q - R - S - T - U - V - W - X

tunnel

Click on the red underlined text to get to the source

1. Introduction
... The document was intentionally not expanded to include the details on how to set up an IPsec-protected tunnel in an interoperable manner, but instead the details were deferred to this memo. ...
... Security Policy Database (SPD) entries. Section 6 gives recommendations. Appendices further discuss tunnel mode usage and optional extensions. ...
... This document does not address the use of IPsec for tunnels that are not manually configured (e.g., 6to4 tunnels ...
... tunnels that are not manually configured (e.g., 6to4 tunnels [RFC3056]). Presumably, some form of opportunistic encryption ...
... RFC4213]) from the encapsulated packets to the tunnel path is out of scope. The use of the word "interface ...
... IPv6 node to send or receive IPv6 packets. The use of the phrase "tunnel interface" refers to the interface ...


2. Threats and the Use of IPsec
... source address of the packet is the same as the address of the configured tunnel endpoint. The decapsulator may also implement ...
... confidentiality, replay protection, and origin protection between tunnel endpoints. IPsec ...
... IPsec can be used in two ways, in transport and tunnel mode; detailed discussion about applicability in this context ...
... using IPsec transport mode to secure the tunnel can spoof the inner payload. The packet will be decapsulated ...
... interface in the direction of the route towards the tunnel endpoint, similar to a Strict Reverse Path Forwarding (RPF ...
... SA is applied to a normal IPv6-in-IPv4 tunnel. Therefore, ingress filtering can be applied in the tunnel ...
... tunnel. Therefore, ingress filtering can be applied in the tunnel interface. (Transport mode is often also used in other ...
... interface. (Transport mode is often also used in other kinds of tunnels such as Generic Routing Encapsulation (GRE) ...
... IPsec in Tunnel Mode ...
... In tunnel mode, the IPsec SA is established to protect the traffic ...
... IPv4 addresses may be spoofed, and IPsec cannot detect this in tunnel mode; the packets will be demultiplexed based on the SPI and possibly the IPv6 address ...
... the inner IPv6 packet can be verified to have come from the right tunnel endpoint. As described in Section 5, using tunnel mode ...
... tunnel endpoint. As described in Section 5, using tunnel mode is more difficult than applying transport mode to a tunnel ...
... tunnel mode is more difficult than applying transport mode to a tunnel interface, and as a result this document recommends transport mode ...
... transport mode. Note that even though transport rather than tunnel mode is recommended, an IPv6-in-IPv4 tunnel ...
... rather than tunnel mode is recommended, an IPv6-in-IPv4 tunnel specified by protocol 41 still exists [RFC4213]. ...


3. Scenarios and Overview
... 1. (Generic) router-to-router tunnels. 2. Site-to-router ...
... 2. Site-to-router or router-to-site tunnels. These refer to tunnels between a site's IPv6 ...
... router or router-to-site tunnels. These refer to tunnels between a site's IPv6 (border) device and an IPv6 ...
... 3. Host-to-host tunnels. ...
... Router-to-Router Tunnels ...
... IPv6/IPv4 hosts and routers can tunnel IPv6 datagrams over regions of IPv4 ...
... '--------' '----' '--------' ^ IPsec tunnel between ^ | Router A and Router ...
... IPv6/IPv4 routers interconnected by an IPv4 infrastructure can tunnel IPv6 packets between themselves. In this case, the tunnel ...
... tunnel IPv6 packets between themselves. In this case, the tunnel spans one segment of the end-to-end ...
... destination addresses of the IPv6 packets traversing the tunnel could come from a wide range of IPv6 prefixes, so binding ...
... A specific case of router-to-router tunnels, when one router resides at an end site, is described in the next section. ...
... Site-to-Router/Router-to-Site Tunnels ...
... IPsec .-------. _( IPv6 )_ |v6-in-v4 | Tunnel _( IPv4 )_ Tunnel | V4/V6 | ...
... IPv6 )_ |v6-in-v4 | Tunnel _( IPv4 )_ Tunnel | V4/V6 | ( Internet )<--->| Router ...
... IPv6/IPv4 routers can tunnel IPv6 packets to their final destination IPv6/IPv4 ...
... IPv6 packets to their final destination IPv6/IPv4 site. This tunnel spans only the last segment of the end- to-end path. ...
... '----' | '--------' | IPsec tunnel between | ^ | IPv6 Site and Router ...
... In the other direction, IPv6/IPv4 hosts can tunnel IPv6 packets to an intermediary IPv6/IPv4 ...
... router that is reachable via an IPv4 infrastructure. This type of tunnel spans the first segment of the packet's end-to-end ...
... Internet. In this case, an IPsec tunnel mode SA could be bound to the prefix ...
... Customer Premises Equipment (CPE) where the tunnel is terminated "trusts" (in a weak sense) the ISP's router, and ...
... Host-to-Host Tunnels ...
... '--------' '----' '--------' IPsec tunnel between Host A and Host B ...
... IPv6/IPv4 hosts interconnected by an IPv4 infrastructure can tunnel IPv6 packets between themselves. In this case, the tunnel ...
... tunnel IPv6 packets between themselves. In this case, the tunnel spans the entire end-to-end path. ...
... destination IPv6 addresses are known a priori. A tunnel mode SA could be bound to these specific addresses. Address ...


4. IKE and IPsec Versions
... IKEv2 supports features useful for configuring and securing tunnels not present with IKEv1. ...


5. IPsec Configuration Details
... 2. In router-to-router tunnels, the source and destination addresses of the traffic ...
... IPv6 traffic can be protected using transport or tunnel mode. There are many problems when using tunnel mode as implementations may ...
... transport or tunnel mode. There are many problems when using tunnel mode as implementations may or may not model the IPsec tunnel mode SA ...
... There are many problems when using tunnel mode as implementations may or may not model the IPsec tunnel mode SA as an interface as ...
... described in Appendix A.1. If IPsec tunnel mode SA is not modeled as an interface (e.g., as of ...
... traffic needing protection is not necessarily (e.g., router-to-router tunnel) known a priori [RFC3884]. The third requirement ...
... source address selection. If the IPsec tunnel mode SA is modeled as interface, the traffic ...
... Because applying transport mode to protect a tunnel is a much simpler solution and also easily protects link-local and multicast traffic ...
... link-local and multicast traffic, we do not recommend using tunnel mode in this context. Tunnel mode ...
... we do not recommend using tunnel mode in this context. Tunnel mode is, however, discussed further in Appendix A. ...
... is, however, discussed further in Appendix A. This document assumes that tunnels are manually configured on both sides and the ingress filtering is manually set up to discard spoofed ...
... tunneling methods, especially when the user wants to tunnel non-IP traffic ...
... RFC4023] provide examples of applying transport mode to protect tunnel traffic that spans only a part of an end-to-end ...
... IPv6 ingress filtering must be applied on the tunnel interface on all the packets that pass the inbound IPsec processing ...
... SPD entries assume that there are two routers, Router1 and Router2, with tunnel endpoint IPv4 addresses denoted IPV4-TEP1 ...
... Table 1: Packet Format for IPv6/IPv4 Tunnels. The IDci and IDcr payloads ...


6. Recommendations
... IPsec IPv6-in-IPv4 tunnel using either transport or tunnel mode. We ...
... IPv6-in-IPv4 tunnel using either transport or tunnel mode. We observe that applying transport mode to a tunnel ...
... tunnel mode. We observe that applying transport mode to a tunnel interface is the simplest and therefore recommended solution. ...
... In Appendix A, we also explore what it would take to use so-called Specific SPD (SSPD) tunnel mode. Such usage is more complicated because IPv6 prefixes need to be known a priori, and multicast ...
... link-local traffic do not work over such a tunnel. Fragment handling in tunnel mode ...
... tunnel. Fragment handling in tunnel mode is also more difficult. However, because the Mobility and Multihoming Protocol (MOBIKE ...
... Multihoming Protocol (MOBIKE) [RFC4555] supports only tunnel mode, when the IPv4 endpoints of a tunnel ...
... tunnel mode, when the IPv4 endpoints of a tunnel are dynamic and the other constraints are not applicable, using tunnel mode ...
... tunnel are dynamic and the other constraints are not applicable, using tunnel mode may be an acceptable solution. ...
... Therefore, our primary recommendation is to use transport mode applied to a tunnel interface. Source address spoofing ...
... spoofing can be limited by enabling ingress filtering on the tunnel interface. ...
... IPv6 traffic may be carried over the tunnels and doing so would make it easier for an attacker to recover the keys. IKEv1 ...


7. Security Considerations
... When running IPv6-in-IPv4 tunnels (unsecured) over the Internet, it is possible to "inject" packets into the tunnel ...
... IPv6-in-IPv4 tunnels (unsecured) over the Internet, it is possible to "inject" packets into the tunnel by spoofing the source address ...
... source address (data plane security), or if the tunnel is signaled somehow (e.g., using authentication protocol and obtaining a static ...
... role in adding security to both the protocol for tunnel setup and data traffic. ...
... signaling protocol for establishing, maintaining, and deleting an IPsec tunnel. IPsec ...
... 1, 2, and 3 does not aim to protect the end-to-end communication. It protects just the tunnel part. It is still possible for an IPv6 endpoint ...
... endpoint not attached to the IPsec tunnel to spoof packets. ...


10. References
... Palet, J. and M. Diaz, "Analysis of IPv6 Tunnel End-point Discovery Mechanisms", Work in Progress ...


11. Appendix A. Using Tunnel Mode
... Appendix A. Using Tunnel Mode ...
... First, we describe the different tunnel mode implementation methods. We note that, in this context ...
... context, only the so-called Specific SPD (SSPD) model (without a tunnel interface) can be made to work, but it has reduced applicability, and the use of a transport mode ...
... interface) can be made to work, but it has reduced applicability, and the use of a transport mode tunnel is recommended instead. However, we will describe how the SSPD tunnel mode might look if one would like to use it in any case. ...
... transport mode tunnel is recommended instead. However, we will describe how the SSPD tunnel mode might look if one would like to use it in any case. ...
... A.1. Tunnel Mode Implementation Methods ...
... Tunnel mode could (in theory) be deployed in two very different ways depending on the implementation: ...
... 1. "Generic SPDs": some implementations model the tunnel mode SA as an IP interface. In this case, an IPsec ...
... an IP interface. In this case, an IPsec tunnel interface is created ...
... routing table would decide what traffic gets sent over the tunnel. Ingress filtering must be separately applied on the tunnel ...
... tunnel. Ingress filtering must be separately applied on the tunnel interface as the IPsec policy checks do not check the IPv6 addresses ...
... Routing protocols, multicast, etc. will work through this tunnel. This mode is similar to transport mode. The SPDs ...
... IKE uses IPv4 but the tunnel is IPv6, there is no standard solution to map the IPv4 ...
... 2. "Specific SPDs": some implementations do not model the tunnel mode SA as an IP interface. Traffic selection is based on ...
... traffic to protect; multicast is not possible over such a tunnel. Ingress filtering is performed automatically by the IPsec ...
... multicast) compared with a transport mode tunnel. When tunnel mode ...
... tunnel. When tunnel mode is used, fragment handling [RFC4301] may also be ...
... addresses), and the IPV4 addresses of the tunnel endpoints are denoted IPV4-TEP1 and IPV4 ...
... IPV6-EP2 41 PROTECT(ESP, tunnel{IPV4-TEP1,IPV4-TEP2}) ...
... IPV6-EP1 41 PROTECT(ESP, tunnel{IPV4-TEP2,IPV4-TEP1}) ...
... IPv6 address IPV6-EP1 and the tunnel endpoints of the host and router are IPV4 ...
... IPV4- TEP1 and IPV4-TEP2, respectively. If the tunnel is between a router and a host ...
... IPV6-EP1 ANY ANY PROTECT(ESP, tunnel{IPV4-TEP1,IPV4-TEP2}) ...
... IPV6-EP1 ANY PROTECT(ESP, tunnel{IPV4-TEP1,IPV4-TEP2}) ...


12. Appendix B. Optional Features
... ISP as part of setting up the IPsec tunnel mode SA. The details of these procedures are out of scope for this memo. ...
... reasons: 1. One of the tunnel endpoints is often behind a NAT, and configured tunneling ...
... NAT. Hence, using IPsec tunnels would enable one to set up both a secure tunnel and a tunnel ...
... using IPsec tunnels would enable one to set up both a secure tunnel and a tunnel that might not always be possible without other tunneling mechanisms ...
... tunnels would enable one to set up both a secure tunnel and a tunnel that might not always be possible without other tunneling mechanisms. ...
... change, this might introduce new security issues, and using tunnel mode would be most appropriate. When NAT ...
... address changes. Therefore, an easy and efficient way to re-establish the IPsec tunnel if the IP address changes would be desirable. MOBIKE ...
... RFC4555] provides a solution when IKEv2 is used, but it only supports tunnel mode. ...
... B.3. Tunnel Endpoint Discovery ...
... service name by appending it to the DNS search path provided by DHCPv4 (e.g., "tunnel- service.example.com"). ...
... be obtained somehow. Once the address has been learned, it is configured as the tunnel endpoint for the configured IPv6-in-IPv4 tunnel ...
... tunnel endpoint for the configured IPv6-in-IPv4 tunnel. This problem is also discussed at more length in [TUNN-AD ...
... TUNN-AD]. However, simply discovering the tunnel endpoint is not sufficient for establishing an IKE session ...

6 - A - B - C - D - E - F - G - H - I - K - L - M - N - O - P - Q - R - S - T - U - V - W - X

Google
Web
RFC-Ref
RFC-Ref.org
Frontpage
Global Index
RFC
Sister Sites
Chess-Ref.org
Law-Ref.org
InChI.info
Zvon.org