Tunnel Versus Transport Mode

Transport mode

IP HDR FSP HOR

Data ESP ESP

Authenticated

Tu nod mode

Encrypted

Authenticated

=SF ESF TrMr Aulh

© 2004 Cisco Systems, Inc. All rights re

This figure shows an IPSec-protected path in basic scenarios in tunnel and transport modes. In transport mode, end hosts do IPSec encapsulation of their own data (host-to-host) Therefore, IPSec has to be implemented on end-hosts. The application endpoint must also be the IPSec endpoint. In tunnel mode, IPSec gateways provide IPSec services to other hosts in peer-to-peer tunnels, and end-hosts are not aware of the IPSec that are being used to protect their traffic. IPSec gateways provide transparent protection of other host traffic over untrusted networks.

ESP and AH can be applied to IP packets in two different ways, referred to as modes:

■ Transport mode: In transport mode, security is provided for the upper protocol layers— transport layer and above only. Transport mode protects the payload of the packet but leaves the original IP address in the clear. The original IP address is used to route the packet through the Internet. ESP transport mode is used between hosts.

■ Tunnel mode: Provides security for the whole original IP packet. The original IP packet is encrypted. Next, the encrypted packet is encapsulated in another IP packet. The outside IP address is used to route the packet through the Internet.

0 0

Post a comment