written 8.4 years ago by | modified 2.9 years ago by |
Subject: System Web Security
Topic: Network Security
Difficulty: Medium
written 8.4 years ago by | modified 2.9 years ago by |
Subject: System Web Security
Topic: Network Security
Difficulty: Medium
written 8.4 years ago by |
UNDERSTANDING IPSEC MODES –TUNNEL MODE & TRANSPORT MODE
IPSEC TUNNEL MODE
IPSec tunnel mode is the default mode. With tunnel mode, the entire original IP packet is protected by IPSec. This means IPSec wraps the original packet, encrypts it, adds a new IP header and sends it to the other side of the VPN tunnel (IPSec peer).
Tunnel mode is most commonly used between gateways (Cisco routers or ASA firewalls), or at an end-station to a gateway, the gateway acting as a proxy for the hosts behind it.
ESP is identified in the New IP header with an IP protocol ID of 50.
The packet diagram below illustrates IPSec Tunnel mode with AH header:
IPSEC TRANSPORT MODE
IPSec Transport mode is used for end-to-end communications, for example, for communication between a client and a server or between a workstation and a gateway (if the gateway is being treated as a host).
A good example would be an encrypted Telnet or Remote Desktop session from a workstation to a server.
Transport mode provides the protection of our data, also known as IP Payload, and consists of TCP/UDP header + Data, through an AH or ESP header.
The payload is encapsulated by the IPSec headers and trailers.
The original IP headers remain intact, except that the IP protocol field is changed to ESP (50) or AH (51), and the original protocol value is saved in the IPsec trailer to be restored when the packet is decrypted.
IPSec transport mode is usually used when another tunneling protocol (like GRE) is used to first encapsulate the IP data packet, then IPSec is used to protect the GRE tunnel packets. IPSec protects the GRE tunnel traffic in transport mode.
The AH can be applied alone or together with the ESP when IPSec is in transport mode.
AH’s job is to protect the entire packet, however, IPSec in transport mode does not create a new IP header in front of the packet but places a copy of the original with some minor changes to the protocol ID therefore not providing essential protection to the details contained in the IP header (Source IP, destination IP etc). AH is identified in the New IP header with an IP protocol ID of 51.
Transport mode
Pros
Cons
Tunnel mode
Pros
Cons
For hosts with dynamically assigned addresses (iSCSI), interoperability is poor
Transport Mode | Tunnel Mode | |
---|---|---|
Protection Provided | Protects IP payload only | Protects entire IP packet. |
AH | Authenticates only IP payload and selected portion of IP header | Authenticates entire inner IP packet and selected portion of outer IP header |
ESP | Encrypts IP payload and optionally authenticates it. | Encrypts and optionally authenticates entire inner IP packet. |
Place in TCP/IP model | In this mode, IPsec is placed between transport and network layer | In this mode, IPsec is placed between network layer and new network layer. |