IPSec Modes: Transport and Tunnel Three different basic implementation architectures can be used to provide IPSec facilities to TCP/IP networks. The choice of which implementation we use, as well as whether we implement in end hosts or routers, impacts the specific way that IPSec functions. Two specific modes of operation are defined for IPSec that are related to these architectures, called transport mode and tunnel mode. IPSec modes are closely related to the function of the two core protocols, the Authentication Header (AH) and Encapsulating Security Payload (ESP). Both of these protocols provide protection by adding to a datagram a header (and possibly other fields) containing security information. The choice of mode does not affect the method by which each generates its header, but rather, changes what specific parts of the IP datagram are protected and how the headers are arranged to accomplish this. In essence, the mode really describes, not prescribes how AH or ESP do their thing. It is used as the basis for defining other constructs, such as security associations (SAs). Let’s take a look at how the two modes work.
Transport Mode As its name suggests, in transport mode, the protocol protects the message passed down to IP from the transport layer. The message is processed by AH/ESP and the appropriate header(s) added in front of the transport (UDP or TCP) header. The IP header is then added in front of that by IP. Another way of looking at this is as follows. Normally the transport layer packages data for transmission and sends it to IP. From IP's perspective, this transport layer message is the payload of the IP datagram. When IPSec is used in transport mode, the IPSec header is applied only over this IP payload, not the IP header. The AH and/or ESP headers appears between the original, single IP header and the IP payload. This is illustrated in Figure Figure 119: IPSec Transport Mode Operation When IPSec operates in transport mode, it is integrated with IP and used to transport the upper layer (TCP/UDP) message directly. After processing, the datagram has just one IP header that contains the AH and/or ESP IPSec headers.
Tunnel Mode In this mode, IPSec is used to protect a complete encapsulated IP datagram after the IP header has already been applied to it. The IPSec headers appear in front of the original IP header, and then a new IP header is added in front of the IPSec header. That is to say, the entire original IP datagram is secured and then encapsulated within another IP datagram. This is shown in Figure Figure 120: IPSec Tunnel Mode Operation IPSec tunnel mode is so named because it represents an encapsulation of a complete IP datagram, forming a virtual tunnel between IPSec-capable devices. The IP datagram is passed to IPSec, where a new IP header is created with the AH and/or ESP IPSec headers.added
Comparing Transport and Tunnel Modes The bottom line in understanding the difference between these two is this: tunnel mode protects the original IP datagram as a whole, header and all, while transport mode does not. Thus, in general terms, the order of the headers is as follows: Transport Mode: IP header, IPSec headers (AH and/or ESP), IP payload (including transport header). Tunnel Mode: New IP header, IPSec headers (AH and/or ESP), old IP header, IP payload. Again, this is a simplified view of how IPSec datagrams are constructed; the reality is significantly more complex. The exact way that the headers are arranged in an IPSec datagram in both transport and tunnel modes depends on which version of IP is being used; IPv6 uses extension headers which must be arranged in a particular way when IPSec is used. The header placement also depends on which IPSec protocol is being used: AH or ESP. Note that it is also possible to apply both AH and ESP to the same datagram; if so, the AH header always appears before the ESP header. There are thus three variables and eight basic combinations of mode (tunnel or transport), IP version (IPv4 or IPv6) and protocol (AH or ESP). The two topics on AH and ESP describe the four format combinations of transport/tunnel mode and IPv4/IPv6 applicable to each protocol. Note that ESP also includes an ESP trailer that goes after the data protected. You could probably tell by reading these descriptions how the two modes relate to the choice of IPSec architecture from the preceding topic. Transport mode requires that IPSec be integrated into IP, because AH/ESP must be applied as the original IP packaging is performed on the transport layer message. This is often the choice for implementations requiring end-to-end security with hosts that run IPSec directly. Tunnel mode represents an encapsulation of IP within the combination of IP+IPSec. Thus, it corresponds with the BITS and BITW implementations, where IPSec is applied after IP has processed higher-layer messages and already added its header. Tunnel mode is a common choice for VPN implementations, which are based on tunneling of IP datagrams through an unsecured network such as the Internet
Thi is CBT IPsec video u can watch this video .
I think it is usefull for u
Comments
Post a Comment