IPSec Modes: Transport and Tunnel
Comparing Transport and Tunnel
Modes
The bottom line in understanding the difference
between these two is this: tunnel mode protects the original IP datagram as a whole, header and all, while
transport mode does not. Thus, in general terms, the order of the headers is as
follows:
- Transport Mode: IP header, IPSec headers (AH and/or
ESP), IP payload (including transport header).
- Tunnel Mode: New IP header, IPSec headers (AH and/or ESP), old IP header, IP payload.
Again, this is a simplified view of how IPSec
datagrams are constructed; the reality is significantly more complex. The exact
way that the headers are arranged in an IPSec datagram in both transport and
tunnel modes depends on which version of IP is being
used; IPv6 uses extension headers which must be arranged in a particular way
when IPSec is used. The header placement also depends on which IPSec protocol is
being used: AH or ESP. Note that it is also possible to apply both AH and ESP to
the same datagram; if so, the AH header always appears before the ESP
header.
There are thus three variables and eight basic
combinations of mode (tunnel or transport), IP version (IPv4 or IPv6) and
protocol (AH or ESP). The two topics on AH and ESP describe the four format combinations
of transport/tunnel mode and IPv4/IPv6 applicable to each protocol. Note that
ESP also includes an ESP trailer that goes after the data
protected.
You could probably tell by reading these
descriptions how the two modes relate to the choice of IPSec architecture from
the preceding topic.
Transport mode requires that IPSec be integrated into IP, because AH/ESP must be
applied as the original IP packaging is performed on the transport layer
message. This is often the choice for implementations requiring end-to-end
security with hosts that run IPSec directly.
Tunnel mode represents an encapsulation of IP
within the combination of IP+IPSec. Thus, it corresponds with the BITS and BITW
implementations, where IPSec is applied after IP has processed higher-layer messages and already added its header. Tunnel mode
is a common choice for VPN implementations, which are based on tunneling
of IP datagrams through an unsecured network such as the Internet.
Key Concept: IPSec has two basic modes of operation. In transport mode, IPSec AH
and/or ESP headers are added as the original IP datagram is created; this mode
is associated with integrated IPSec architectures. In tunnel mode, the original
IP datagram is created normally, then the entire datagram is encapsulated into a
new IP datagram containing the AH/ESP IPSec headers. This mode is most commonly
used with “Bump In The Stack” and “Bump In The Wire” implementations.
|
No comments:
Post a Comment