Previous Page
Next Page

11.6. Tunnel Mode

Tunnel mode is used to connect two networks through a set of security gateways or a host and a network that is protected by a security gateway. Figure 11.8 shows a typical case for two networks; the case of a single host and a network is similar (Exercise 11.3). Notice that the AH tunnel runs between the gateways, not between hosts on the two protected networks.

Figure 11.8. A Tunnel-Mode AH Tunnel

[View full size image]


Because the security gateways must protect datagrams between arbitrary pairs of hosts from the two networks, the encapsulation is different. Rather than inserting an AH header between the IP header and upper-layer protocol header, we encapsulate the entire datagram by prepending IP and AH headers. We show this for a TCP segment in Figure 11.9. We show the authentication extending half way into the outer IP header. As before, this indicates that only the immutable fields of the IP header are authenticated. Also notice that the entire inner IP header is authenticated. This is possible because only the outer IP header will be examined and modified by intermediate routers; the inner IP header takes no part in the routing and is not changed.

Figure 11.9. AH Tunnel-Mode Encapsulation

[View full size image]


Let's see how this encapsulation would work in practice. Suppose that host H2 of Figure 11.8 wants to send a TCP segment to host H6 and have it protected by AH. Figure 11.10 shows the encapsulation at each point in the network. When the packet leaves H2, it has a source address of 10.0.1.2 and a destination address of 10.0.2.3, as expected.

Figure 11.10. Packet Flow in an AH Tunnel


The protocol field in the IP header is set to 6, indicating that the upper-layer protocol is TCP. When the packet leaves GW1, it has an IP header and an AH header prepended. The outer IP header has a source address of GW1 (96.1.1.1) and a destination address of GW2 (96.1.1.2). The protocol field of the outer IP header is set to 51, indicating that it is carrying an AH packet. The next header field of the AH header is set to 4, indicating that it is protecting an IP packet.

When the packet arrives at GW2, the outer IP and AH headers are stripped off, and the original datagram, as host H2 sent it, is delivered to H6. The inner IP datagram has not been changed in any way during the transit from H2 to H6.

If we build a tunnel-mode AH VPN between laptop and bsd, using the AH test bed of Figure 11.7, laptop can communicate with any host on the 172.30.0.0/24 network and have its datagrams protected by AH as they transit from laptop to bsd. Note, though, that the datagram is not protected as it moves from bsd to another host on the 172.30.0.0/24 network. If, after establishing the AH tunnel-mode VPN, we ping from laptop to linux and capture the traffic with tcpdump on bsd, we see the expected encapsulation:

1   17:59:43.012583 IP 192.168.123.5 > 192.168.123.1:
      AH(spi=0x0e9ec45c,seq=0x1): IP
      192.168.123.5 > 172.30.0.4: icmp 64:
      echo request seq 512 (ipip-proto-4)
1.1     4500 0080 0038 0000 4033 02bc c0a8 7b05    E....8..@3....{.
1.2     c0a8 7b01 0404 0000 0e9e c45c 0000 0001    ..{............
1.3     2040 b6f2 2283 92f6 39f8 8941 4500 0054    .@.."...9..AE..T
1.4     0037 0000 4001 92a2 c0a8 7b05 ac1e 0004    .7..@.....{.....
1.5     0800 cd58 3d01 0200 5ed1 3042 6e8f 0300    ...X=...^.0Bn...
1.6     0809 0a0b 0c0d 0e0f 1011 1213 1415 1617    ................
1.7     1819 1a1b 1c1d 1e1f 2021 2223 2425 2627    .........!"#$%&'
1.8     2829 2a2b 2c2d 2e2f 3031 3233 3435 3637    ()*+,-./01234567

The outer IP header is on lines 1.1 and 1.2. It has a source address of 192.168.123.5 (0xc0a87b05) and a destination address of 192.168.123.1 (0xc0a87b01). The AH header is on lines 1.2 and 1.3 in boldface. Its next header field is set to IP-in-IP (4). This indicates that an IP header follows the AH header.

As mentioned in Chapter 10, we can think of AH tunnel mode as AH transport mode applied to an IP-in-IP tunnel.

The part of the AH header on line 1.3 is the authentication data, which, like the transport example, is HMAC-SHA1-96. We see the inner IP header immediately following the AH header on lines 1.3 and 1.4. The source address is still 192.168.123.5 (0xc0a87b05), but the destination address is 172.30.0.4 (0xac1e0004), which is linux. The ICMP packet (the ping) starts on line 1.5 and has a type of echo request (0x08) as expected.

In AH tunnel mode, the situation with NAT is slightly different from what it was with transport mode. It is common for a security gateway to include router and NAT functions. In this case, the gateways can apply NAT before they calculate the ICV. When AH is used alonethat is, with no ESP encryptionit can see the transport-layer port numbers, so it can even apply PAT. On the other hand, NAT is often not necessary: In Figure 11.10, a datagram is carried between two networks with private IP address ranges without the use of NAT. In this respect, the AH tunnel is similar to the IP-in-IP tunnel that we saw in Chapter 4.


Previous Page
Next Page