ipsec - mode

Transport mode and tunnel mode

The manner in which the original IP packet is modified depends on the encapsulation mode used. There are two encapsulation modes used by AH and ESP, transport and tunnel.

Transport mode encapsulation retains the original IP header. Therefore, when transport mode is used, the IP header reflects the original source and destination of the packet. Transport is most often used in a host-to-host scenario, where the data endpoints and the security endpoints are the same. A transport mode encapsulated datagram is routed, or transported, in the same manner as the original packet.

 

 

Figure 1. IPv4 packet encapsulated using AH in transport mode

Shows IP header, authentication header, IP payload, all authenticated.
 
 
 
Figure 2. IPv4 packet encapsulated using ESP in transport mode
IP head,ESP head,IP payload,ESP trail,ESP auth data; IP payload - ESP trail encrypted; ESP head - trail authenticated
 
 
 
 
 
 
Tunnel mode encapsulation builds a new IP header containing the source and destination address of the security endpoints. When tunnel mode is used, the outer IP header reflects the source and destination of the security endpoints, which might or might not be the same as the original source and destination IP address of the data connection. The choice of transport or tunnel mode depends on the structure of the network and relies heavily on logical connections between the endpoints. Tunnel mode is required if one of the IKE peers is a security gateway that is applying IPSec on behalf of another host or hosts. A datagram that is encapsulated in tunnel mode is routed, or tunneled, through the security gateways, with the possibility that the secure IPSec packet will not flow through the same network path as the original datagram. To successfully encapsulate and send an outbound packet, the route table must contain a route that can be used to reach the security gateway, as well as a route that can be used to reach the data endpoint. If policy-based routing is being used on a TCP/IP stack where IP security is active, it is important to understand how the two functions interact.
 
Figure 5. IPv4 packet encapsulated using AH in tunnel mode
Shows new IP header, authentication header, IP packet (original IP header and IP payload), all authenticated.
 
 
 
Figure 6. IPv4 packet encapsulated using ESP in tunnel mode
New IP head,ESP head,IP packet,ESP trail, ESP auth data;IP packet - ESP trailer encrypted, ESP header - ESP trail auth
 
posted @ 2021-11-24 15:48  xman888  阅读(32)  评论(0编辑  收藏  举报