Next: Transparent Policy Enforcement
Up: Bridging and IPsec
Previous: Virtual LANs
As mentioned in section 3, the bridge can also be
used as a transparent IPsec box, sitting in front of a host or network
and IPsec-processing packets traversing it. This configuration is
called ``bump in the wire'' (BITW) in the IPsec architecture. The
encrypting bridge as described in the previous section can be used
almost as-is when the protected hosts or networks are configured to
only talk to one remote host (or security gateway): an incoming and
outgoing SA pair can be associated with an enc interface as
before, and IPsec processing is done along the same lines. However,
rather than encapsulating ethernet frames inside IP packets (and then
IPsec-processing these), we extract the IP packets from the ethernet
frames and do IP-in-IP encapsulation instead. The administrator can
specify which of the two types of encapsulation should be used simply
by setting the appropriate interface flag using the ifconfig
command.
The SAs associated with the enc interface (which must be
manually configured) can use the IP address of the bridge, or the IP
address of the protected host. In the former case, the bridge exhibits
the exact same characteristics as an encrypting gateway (packets sent
to the remote host or gateway list the bridge's IP address as the
source); in contrast to a gateway however, no configuration changes
are necessary in the network or the protected host(s) when placing the
bridge. Since SA configuration is manual, there are no issues with
authentication during key establishment (as described in section
3).
When the SAs use the IP address of the protected host, the bridge is
totally transparent to both the protected host and the destination
host or gateway. There are two issues that need to be addressed in
this configuration however:
- The IPsec standard specifies that IP fragments should not be
IPsec processed in transport mode. That is, fragmentation must occur
after IPsec processing has taken place, or tunnel mode (IP-in-IP
encapsulation) must be used. Thus, the bridge must either use only
tunnel mode IPsec, or reassemble all fragments received from the
protected host, IPsec-process the re-constructed packet, then fragment
the resulting packet. For performance and simplicity reasons, we
decided to use the former approach. The disadvantage is that all
IPsec-processed packets are 20 bytes larger (the size of the external
IP header).
- Since the remote host is not aware of the encrypting bridge's
existence, IPsec packets will be addressed to the protected host or
network. Thus, we have to modify the bridge to recognize these
addresses and process those IPsec packets. In fact, address
recognition is unnecessary. The bridge only has to watch for IPsec
packets (transport protocol ESP or AH), and use the information in the
packet to perform an SA lookup. If an SA is found, the packet is
processed. Otherwise, it may be dropped or allowed through depending
on the filtering configuration.
A hybrid SA configuration may be used (where the bridge uses its
address in one direction, and the protected host's address in the
other). Such a configuration does not seem to offer any substantial
benefit however (and may in fact result in confusing the
administrator).
Next: Transparent Policy Enforcement
Up: Bridging and IPsec
Previous: Virtual LANs
Angelos D. Keromytis
4/21/2000