主机1将向主机2继续发送TCP/IP信息包,但它们会在1400 MTUs链路的中途分段【因为外层DF位没有复制原始数据包中DF位】。GRE隧道对端也重组这些数据包,然解封装和继续转发。
12、“纯”IPsec隧道模式
The IP Security (IPsec) Protocol is a standards-based method of providing privacy, integrity, and authenticity to information transferred across IP networks. IPsec provides IP network-layer encryption. IPsec lengthens the IP packet by adding at least one IP header (tunnel mode). The added header(s) varies in length depending the IPsec configuration mode but they do not exceed ~58 bytes (Encapsulating Security Payload (ESP) and ESP authentication (ESPauth)) per packet.
IPsec has two modes, tunnel mode and transport mode.
?Tunnel mode is the default mode. With tunnel mode, the entire original IP packet is protected (encrypted, authenticated, or both) and encapsulated by the IPsec headers and trailers. Then a new IP header is prepended to the packet, specifying the IPsec endpoints (peers) as the source and destination. Tunnel mode can be used with any unicast IP traffic and must be used if IPsec is
protecting traffic from hosts behind the IPsec peers. For example, tunnel mode is used with Virtual Private Networks (VPNs) where hosts on one protected network send packets to hosts on a different protected network via a pair of IPsec peers. With VPNs, the IPsec \encrypting this traffic between the IPsec peer routers.
?With transport mode (configured with the subcommand, mode transport, on the transform definition), only the payload of the original IP packet is protected (encrypted, authenticated, or both). The payload is encapsulated by the IPsec headers and
46
trailers. The original IP headers remain intact, except that the IP protocol field is changed to be ESP (50), and the original protocol value is saved in the IPsec trailer to be restored when the packet is decrypted. Transport mode is used only when the IP traffic to be protected is between the IPsec peers themselves, the source and destination IP addresses on the packet are the same as the IPsec peer addresses. Normally IPsec transport mode is only used when another tunneling protocol (like GRE) is used to first encapsulate the IP data packet, then IPsec is used to protect the GRE tunnel packets.
IPsec always does PMTUD for data packets and for its own packets. There are IPsec configuration commands to modify PMTUD processing for the IPsec IP packet, IPsec can clear, set, or copy the DF bit from the data packet IP header to the IPsec IP header. This is called the \
Note: You really want to avoid fragmentation after
encapsulation when you do hardware encryption with IPsec. Hardware encryption can give you throughput of about 50 Mbs depending on the hardware, but if the IPsec packet is fragmented you loose 50 to 90 percent of the throughput. This loss is because the fragmented IPsec packets are process-switched for reassembly and then handed to the Hardware encryption engine for decryption. This loss of throughput can bring hardware encryption throughput down to the performance level of software encryption (2-10 Mbs).
IP安全(IPSec)协议是一种基于标准的方法,为通过IP网络传输的信息提供保密性、完整性和真实性。IPsec提供IP网络层加密。IPsec通过至少添加一个IP报头,从而增加了IP数据包的长度(隧道模式)。已添加报头长度不同取决于IPSec配置模式,但是他们不超出58个字节(封装安全有效载荷(ESP)和ESP验证(ESPauth))(封装安全负载(ESP)和ESP身份验证(ESPauth))。
47
IPsec 具有两种模式:隧道模式和传输模式。
? 隧道模式是默认模式。使用隧道模式时,整个原始IP数据包处于受保护状态(已加密和/或已经过身份验证),并使用IPSec报头和报尾封装。然后,在数据包前面将附加一个新的IP报头,并将IPSec端点(对等体)指定为源和目标。隧道模式可用于所有单播IP流量,如果IPsec为来自IPSec对端后面的主机的流量提供保护,则必须使用隧道模式。例如,在一个受保护网络中的主机通过一对IPsec对端向另一受保护网络中的主机发送数据包的虚拟专用网络(VPN)中,应使用隧道模式。在有VPN的情况下,IPsec\隧道\通过加密IPSec同位路由器之间的数据流来保护主机之间的IP数据流。
? 使用传输模式(在传输定义中使用mode transport子命令配置)时,只有原始IP 数据包的负载才处于受保护状态(已加密和/或已经过身份验证)。该负载使用IPSec报头和报尾进行封装。除将IP协议字段更改为ESP(50)以外,原始IP报头将保持不变,原始协议值保存在IPsec报尾中,以便在数据包解密时进行恢复。仅当受保护的IP流量位 IPSec对端自身 之间、数据包上的源和目标IP地址与IPSec对端地址相同时,才能使用传输模式。通常情况下,仅当首先使用另一隧道协议(如GRE)封装IP数据包,然后使用IPsec来保护GRE隧道数据包时,才能使用IPsec传输模式。
IPsec始终对数据包及其自己的数据包执行PMTUD。存在可用于修改 IPsec IP数据包的PMTUD处理的IPSec配置命令,IPsec可在数据包IP报头中清除、设置DF位,或者将DF位从数据包IP报头复制到IPsec IP报头。该功能称为“DF 位覆盖功能”。
注意:在使用IPsec执行硬件加密时,您一定希望在封装之后避免分段。根据所采用的硬件,硬件加密法可以为您提供大约50Mbs的吞吐量,但如果对IPsec数据包进行分段,您将损失50-90%的吞吐量。导致该损失的原因在于,分段的IPSec 数据包将执行进程交换以便重组,然后会传递到硬件加密引擎以进行解密。上述吞吐量损失会使硬件加密吞吐量降至软件加密的性能水平(2-10 Mbs)。
场景7:
This scenario depicts IPsec fragmentation in action. In this
48
scenario, the MTU along the entire path is 1500. In this scenario, the DF bit is not set.
此场景描述了IPsec分段的作用方式。在此场景中,整个路径上的MTU 为1500,未设置DF位。
1.The router receives a 1500-byte packet (20-byte IP header + 1480 bytes TCP payload) destined for Host 2.
路由器收到一个发往主机2且包含1500字节的数据包(20 字节 IP 报头 + 1480 字节TCP负载)。
2.The 1500-byte packet is encrypted by IPsec and 52 bytes of overhead are added (IPsec header, trailer, and additional IP header). Now IPsec needs to send a 1552-byte packet. Since the outbound MTU is 1500, this packet will have to be fragmented.
该1500字节的数据包使用IPsec进行加密,并增加了52字节的开销(IPSec 报头、报尾和额外的 IP 报头)。现在,IPsec需要发送一个1552字节的数据包。由于出站MTU为1500,因此必须对此数据包进行分段。
3.Two fragments are created out of the IPsec packet. During fragmentation, an additional 20-byte IP header is added for the second fragment, resulting in a 1500-byte fragment and a 72-byte
49
IP fragment.
将为此IPsec数据包创建两个分段。分段期间,将为第二个分段添加一个额外的20字节的IP报头,从而产生一个1500字节的分段和一个72字节的IP分段。
4.The IPsec tunnel peer router receives the fragments, strips off the additional IP header and coalesces the IP fragments back into the original IPsec packet. Then IPsec decrypts this packet.
IPSec隧道对等路由器收到分段,删除额外的IP报头,并将IP分段重新组合为原始的IPsec数据包。然后,IPsec对此数据包进行解密。
5.The router then forwards the original 1500-byte data packet to Host 2.
最后,路由器将1500字节的原始数据包转发到主机2。 方案8:
This scenario is similar to Scenario 6 except that in this case the DF bit is set in the original data packet and there is a link in the path between the IPsec tunnel peers that has a lower MTU than the other links. This scenario demonstrates how the IPsec peer router performs both PMTUD roles, as described in the The Router as a PMTUD Participant at the Endpoint of a Tunnel section.
You will see in this scenario how the IPsec PMTU changes to a lower value as the result of the need for fragmentation. Remember that the DF bit is copied from the inner IP header to the outer IP header when IPsec encrypts a packet. The media MTU and PMTU values are stored in the IPsec Security Association (SA). The media MTU is based on the MTU of the outbound router interface and the PMTU is based on the minimum MTU seen on the path between the IPsec peers. Remember that IPsec encapsulates/encrypts the packet before it attempts to fragment it.
此场景与场景6相似,不同之处在于此场景在原始数据包中设置了DF位,
50