9.2 IPsec Tunnels
9.2 IPsec Tunnels
IPsec supports secure communications through potentially insecure network components (such as intermediate routers). The IPsec protocols support two modes of operation, transport mode and tunnel mode, covering a wide range of security requirements and operational environments. Transport mode security protocol headers are inserted between the IP (IPv4 or IPv6) header and higher layer protocol headers (e.g., TCP), so transport mode can only be used for end-to-end security on a connection. IPsec tunnel mode is based on adding a new "outer" IP header that encapsulates the original or "inner" IP header and its associated packet. Tunnel mode security headers are inserted between these two IP headers. In contrast to transport mode, the new "outer" IP header and tunnel mode security headers can be added and removed at intermediate points along the connection, allowing security gateways to protect vulnerable parts of a connection without requiring endpoint participation in the security protocol. An important aspect of tunnel mode security is that in the original specification, the outer header is discarded at the tunnel egress, ensuring that security threats based on modifying the IP header do not propagate beyond that tunnel endpoint. Further discussion of IPsec can be found in [RFC2401].
The IPsec protocols originally defined in [ESP, AH] require that the ECN field of the inner header not be changed by IPsec decapsulation processing at the tunnel egress node; this would preclude the possibility of a full-functionality mode for ECN. At the same time, this would ensure that adversary modifications to the ECN field cannot be used to launch theft or denial-of-service attacks across IPsec tunnel endpoints, since any such modifications would be discarded at the tunnel endpoints.
In principle, allowing the use of ECN functionality in the outer header of IPsec tunnels raises security concerns because adversaries may tamper with information that propagates beyond the tunnel endpoints. Based on the analysis of these issues and associated risks (contained in Sections 18 and 19), our overall approach is to provide configuration support for IPsec changes to eliminate conflicts with ECN.
In particular, in tunnel mode, IPsec tunnels MUST support the limited-functionality option outlined in Section 9.1.1, and SHOULD support the full-functionality option outlined in Section 9.1.1.
This makes permission to use ECN functionality in the outer header of IPsec tunnels a configurable part of the corresponding IPsec Security Association (SA), so that it can be disabled when the risks are considered to exceed the benefits. As a result, IPsec security administrators can provide two alternatives for the behavior of ECN-capable connections within IPsec tunnels, namely the limited-functionality alternative and the full-functionality alternative described previously.
In addition, this document specifies how the endpoints of IPsec tunnels can negotiate enabling ECN functionality in the outer header of that tunnel based on security policy. The ability to negotiate ECN use between tunnel endpoints will enable security administrators to disable ECN when she considers the risks (e.g., the risk of losing congestion notifications) to exceed the benefits of ECN.
The IPsec protocols as defined in [ESP, AH] do not include the ECN field of the IP header in any of their cryptographic calculations (in the case of tunnel mode, the ECN field of the outer IP header is not included). Therefore, network node modifications to the ECN field have no impact on IPsec's end-to-end security, as they will not cause any IPsec integrity check failures. Thus, IPsec does not provide any defense against adversary modifications to the ECN field (i.e., man-in-the-middle attacks), as adversary modifications would also have no impact on IPsec's end-to-end security. In some environments, the ability to modify the ECN field without affecting IPsec integrity checks may constitute a covert channel; if it is necessary to eliminate such channels or reduce their bandwidth, IPsec tunnels should be operated in limited-functionality mode.