📄 rfc2207.txt
字号:
[RFC 1827] Atkinson, R., "IP Encapsulating Security Payload", RFC
1827, NRL, August 1995.
8 Acknowledgments
This note includes ideas originated and reviewed by a number of
individuals who did not participate in this note's writing. The
authors would like to acknowledge their contribution. We thank Ran
Atkinson <rja@cisco.com>, Fred Baker <fred@cisco.com>, Greg Troxel
<gdt@bbn.com>, John Krawczyk <jkrawczyk@BayNetworks.com> for much
appreciated input and feedback. Special appreciation goes to Bob
Braden <braden@isi.edu> for his detailed editorial and technical
comments. We also thank Buz Owen, Claudio Topolcic, Andy Veitch, and
Luis Sanchez for their help in coming up with the proposed approach.
If any brain-damage exists in this note, it originated solely from
the authors.
9 Authors' Addresses
Lou Berger Tim O'Malley
FORE Systems BBN Corporation
6905 Rockledge Drive 10 Moulton Street
Suite 800 Cambridge, MA 02138
Bethesda, MD 20817
Phone: 301-571-2534 Phone: 617-873-3076
EMail: lberger@fore.com EMail: timo@bbn.com
Berger & O'Malley Standards Track [Page 10]
RFC 2207 RSVP Extensions for IPSEC September 1997
A Options Considered
This sections reviews other approaches that were explored in
developing the described extensions. They are included here to
provide additional context into the general problem. All listed
options were rejected by the working group.
Four other options were considered:
1. UDP Encapsulation
Add a UDP header between the IP and the IPSEC AH or ESP
headers.
2. FlowID Header Encapsulation
Add a new type of header between the IP and the IPSEC AH or
ESP headers.
3. IPSEC modification
Modify IPSEC headers so that there are appropriate fields in
same location as UDP and TCP ports.
4. AH Transparency
Skip over the Authentication Header packet classifier
processing.
A.1 UDP Encapsulation
Since current SESSION and FILTER object expect UDP or TCP ports, this
proposal says let's just give it to them. The basic concept is to
add a UDP port between the IP and AH/ESP headers. The UDP ports
would provide the granularity of control that is need to associate
specific flows with reservations.
Source and destination ports would be used, as normal, in RSVP
session definition and control. The port fields would also need to
be used to identify the real transport level protocol (e.g. ESP)
being used. Also since many UDP ports are assigned as well known
ports, use of port numbers would be limited. So, the port fields
would need to be used to unambiguously identify 1) the next level
protocol, 2) the RSVP session, and 3) the RSVP reservation.
The advantages of this option is that no RSVP changes are required.
The disadvantages is that, since the headers aren't in the expected
location, RFC 1826 and RFC 1827 are violated.
Berger & O'Malley Standards Track [Page 11]
RFC 2207 RSVP Extensions for IPSEC September 1997
A.2 FlowID Header Encapsulation
[This option was originally proposed by Greg Troxel <gdt@bbn.com>.]
This option is very similar to option 1, but is more generic and
could be adopted as a standard solution. The notion is to use UDP
like ports for the sole purpose of flow identification. RSVP would
treat this new protocol exactly the same as UDP.
The difference between this and UDP encapsulation is in destination
host processing. The destination host would essentially ignore port
information and use a new field, protocol ID, to identify which
protocol should process the packet next. Some examples of protocol
IDs correspond to TCP, UDP, ESP, or AH.
The format of the FlowID Header would be:
+---------------+---------------+---------------+---------------+
| Source Port | Dest Port |
+---------------+---------------+---------------+---------------+
| Ver | Len | Protocol ID | Checksum |
+---------------+---------------+---------------+---------------+
1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8
2 bytes source port 4 bits length-32 (2)
2 bytes dest port 8 bits protocol ID
4 bits version (1) 16 bits checksum
The advantage of this protocol is that flow identification is
separated from all other protocol processing. The disadvantage is
that the addition of a header violates RFC 1826 and 1827, and also
that applications using RSVP will need to add this extra header on
all data packets whose transport headers do not have UDP/TCP like
ports.
A.3 IPSEC Protocol Modification
The basic notion of this option is to leave RSVP as currently
specified and use the Security Association Identifier (SPI) found in
the IPSEC headers for flow identification. There are two issues with
using the SPI. The first is that the SPI is located in the wrong
location when using Authentication (AH). The second issue is how to
make use of the SPI.
The first issue is easy to fix, but violates RFC 1826. UDP and TCP
have port assignments in the first 4 bytes of their headers, each is
two bytes long, source comes first, then destination. The ESP header
has the SPI in the same location as UDP/TCP ports, the AH doesn't.
Berger & O'Malley Standards Track [Page 12]
RFC 2207 RSVP Extensions for IPSEC September 1997
The IP Authentication Header has the following syntax:
+---------------+---------------+---------------+---------------+
| Next Header | Length | RESERVED |
+---------------+---------------+---------------+---------------+
| Security Parameters Index |
+---------------+---------------+---------------+---------------+
| |
+ Authentication Data (variable number of 32-bit words) |
| |
+---------------+---------------+---------------+---------------+
1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8
Simply reversing the first 4 bytes with the SPI we will have the SPI
in the location that RSVP expects. This would be non-standard, or
require a major (i.e. not backward compatible) change to RSVP 1826.
The second issue is how to make use of the SPI. Per the current RSVP
specification, the first two bytes of a flow's SPI will need to be
carried in the PATH message and the second two bytes in the RESV
message. The biggest problem is that the SPI is normally selected by
the receiver and is likely to be different for EACH sender. (There
is a special case where the same SPI is used by all senders in a
multicast group. But this is a special case.) It is possible to
have the SPI selected prior to starting the RSVPsession. This will
work for unicast and the special multicast case. But using this
approach means that setup time will usually be extended by at least 1
round trip time. Its not clear how to support SE and WF style
reservations.
The advantage of this approach is no change to RSVP. The
disadvantages are modification to RFC1827 and limited support of RSVP
reservation styles.
A.4 AH Transparency
The source of the RSVP support of IPSEC protocols problem is that the
real transport header is not in the expected location. With ESP
packets, the real source and destination ports are encrypted and
therefore useless to RSVP. This is not the case for authentication.
For AH, the real header just follows the Authentication Header. So,
it would be possible to use the real transport header for RSVP
session definition and reservation.
To use the transport header, all that would need to be done is for
the flow classifier to skip over AHs before classifying packets. No
modification to RSVP formats or setup processing would be required.
Applications would make reservations based on transport (i.e., UDP or
Berger & O'Malley Standards Track [Page 13]
RFC 2207 RSVP Extensions for IPSEC September 1997
TCP) ports as usual.
The advantages of this approach are no changes to either IPSEC
protocols or RSVP formats. The major disadvantage is that routers
and hosts must skip all AHs before classifying packets. The working
group decided that it was best to have a consistent solution for both
AH and ESP.
Berger & O'Malley Standards Track [Page 14]
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -