1
66kviews
Differentiate between the transport mode and tunnel mode of IP Sec and explain how authentication and confidentiality are achieved using IP Sec.
1 Answer
8
2.4kviews
Transport mode Tunnel mode
Here end hosts do IPsec encapsulation of their own data; hence IPsec needs to implemented on each end-hosts IPsec gateways provide service to other hosts in peer-to-peer tunnels; hence the end-hosts don’t need IPsec.
Lower overhead than tunnel mode More overhead required
No edits on IP header The entire packet is hashed or encrypted; IP header is applied to the packet during transit.
Used in securing communication from one device to another. Used to tunnel traffic from one site to another
It is good for ESP host-to-host traffic It is good for VPNs, gateway-to-gateway security.
Provides protection primarily to upper layer protocols Provides protection to entire IP packet
AH in transport mode authenticates the IP payload and selected portions of IP header. AH in tunnel mode authenticates the entire inner IP packet and selected portions of the outer IP header.
ESP in transport mode encrypts and optionally authenticates the IP payload but not the IP header. ESP in tunnel mode encrypts and optionally authenticates the entire inner IP packet, including the inner IP header.

Authentication is provided by Authentication Header (AH)

  • The AH provides source authentication. It protects against source spoofing.
  • The AH protects against replay attacks by using monotonically increasing sequence numbers.
  • But it cannot provide confidentiality.
  • The AH header format is shown aside:
    • Next header $\rightarrow$ type of header immediately following this header (e.g., TCP, IP, etc.)
    • Payload length $\rightarrow$ length of AH (in 32 bit words) minus 2
    • Security Parameters Index $\rightarrow$ identifies the SA used to generate this header
    • Sequence number $\rightarrow$ sequence o Sequence number $\rightarrow$ sequence number of the packet
    • Authentication data $\rightarrow$ a (truncated) MAC (default length is 3x32 bits)

enter image description here

Confidentiality is achieved using encapsulating security payload (ESP):

enter image description here

The header format of ESP is given as:

enter image description here

  • Security Parameters Indexidentifies the SA used to generate this encrypted packet
  • Sequence number
  • Payload $\rightarrow$ transport level segment (transfer mode) or encapsulated IP packet (tunnel mode)
  • Padding $\rightarrow$ variable length padding
  • Pad length
  • Next header $\rightarrow$ identifies the type of data contained in the header
  • Authentication data $\rightarrow$ a (truncated) MAC computed over the ESP packet

enter image description here

Please log in to add an answer.