RE: IPSEC Tunnel vs Transport Mode

From: Schouten, Diederik (Diederik) (dschout@lucent.com)
Date: 04/24/03

Next message: Fred Dirkse - OIC Group, Inc.: "RE: Something new?"

Previous message: Robinson, Sonja: "RE: RE : PGP versus PKWare"
Maybe in reply to: Robin Atler: "IPSEC Tunnel vs Transport Mode"
Next in thread: Mark Reardon: "Re: IPSEC Tunnel vs Transport Mode"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: "Schouten, Diederik (Diederik)" <dschout@lucent.com>
To: "'Robin Atler'" <ratler@enter.net>, security-basics@securityfocus.com
Date: Thu, 24 Apr 2003 10:45:39 +0200

This is actually general behaviour and not a Cisco-Ism :)

In transport mode, all that happens is authentication and/or encryption of
the payload of the packet, the original IP header is still used for the
packet routing.
This as you say is mostly used when 2 hosts need to securely talk to each
other without the requirement of a VPN gateway.

As soon as a gateway is used to setup LAN-LAN or Client-LAN "tunnels" the
original packet gets encapsulated and a new IP header will be build with the
information of the 2 endpoints.
Authentication is now done on the new IP header and encryption is done on
the new packet's payload.

All VPN Gateways/VPN Capable Firewalls will use Tunnel mode for site-site
VPN's.

Transport mode:

original packet: [eth [ip [tcp/udp [data] ] ] ]
before encryption: [eth [ip [esp [tcp/udp [data] ] ] ] ]
encrypted: [eth [ip [esp [xxxxxxxxxxxxxxx] ] ] ]

Tunnel Mode:

original packet: [eth [ip-in [tcp/udp [data] ] ] ]
encapsulated: [eth [ip-out [ip-in [tcp/udp [data] ] ] ] ]
before encryption: [eth [ip-out [esp [ip-in [tcp/udp [data] ] ] ] ] ]
encrypted: [eth [ip-out [esp [xxxxxxxxxxxxxxxxxxxxxxxx] ] ] ]

As you can see there are 2 IP Headers in the Tunnel mode...
ip-in (the original header used for host-host communication)
ip-out (the header used for gateway-gateway communication)

Greetings,

Diederik

> -----Original Message-----
> From: Robin Atler [mailto:ratler@enter.net]
> Sent: 23 April 2003 14:51
> To: security-basics@securityfocus.com
> Subject: IPSEC Tunnel vs Transport Mode
>
>
>
>
> I'm setting up a VPN. I've read some documentation that
> states, rather
> generically, that IPSEC tunnels can run in either tunnel or transport
> mode. Transport mode simply protects the message contents
> while tunnel
> mode protects the message contents and the original IP
> headers. I'm using
> Cisco gear which says that transport mode only works when the tunnel
> endpoints are the conversing devices. This doesn't seem
> quite right to me
> and I don't understand why that would be required. Can
> anyone explain
> that or is paticular behavior this simply a "cisco-ism"?
>
> --------------------------------------------------------------
> -------------
> Attend Black Hat Briefings & Training Europe, May 12-15 in
> Amsterdam, the
> world's premier event for IT and network security experts.
> The two-day
> Training features 6 hand-on courses on May 12-13 taught by
> professionals.
> The two-day Briefings on May 14-15 features 24 top speakers
> with no vendor
> sales pitches. Deadline for the best rates is April 25.
> Register today to
> ensure your place.
http://www.securityfocus.com/BlackHat-security-basics
----------------------------------------------------------------------------

---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the
world's premier event for IT and network security experts. The two-day
Training features 6 hand-on courses on May 12-13 taught by professionals.
The two-day Briefings on May 14-15 features 24 top speakers with no vendor
sales pitches. Deadline for the best rates is April 25. Register today to
ensure your place. http://www.securityfocus.com/BlackHat-security-basics
----------------------------------------------------------------------------

Next message: Fred Dirkse - OIC Group, Inc.: "RE: Something new?"

Previous message: Robinson, Sonja: "RE: RE : PGP versus PKWare"
Maybe in reply to: Robin Atler: "IPSEC Tunnel vs Transport Mode"
Next in thread: Mark Reardon: "Re: IPSEC Tunnel vs Transport Mode"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: IPSEC ESP questions
... >:New IP header and send that packet to network? ... > since in transport mode the original IP header is visible. ... payload in ESP packet? ...
(comp.security.misc)
RE: IPSEC Tunnel vs Transport Mode
... IPSEC Tunnel vs Transport Mode ... host A encrypts the content of all packets ... In tunnel mode, the packets *including headers* are encrypted, ...
(Security-Basics)
Re: IPSEC Tunnel vs Transport Mode
... Some people show this with this diagram (NEW IP HDR: secured payload(original IP HDR, ... Tunnel mode works well when you are connecting two offices over a non-secure network. ... Transport mode is designed to work between two servers. ...
(Security-Basics)
Re: ICMP Error transmission/response over IPSec tunnels
... The IPSec configuration is a gif ipip tunnel that is then encrypted with IPSec using esp in tunnel mode as per the ipsec vpn section in the handbook. ... Also I have not tested quagga in when the ipsec is in transport mode, and I guess I do need interfaces to use with quagga. ...
(freebsd-net)
IPSEC Tunnel vs Transport Mode
... Transport mode simply protects the message contents while tunnel ... Cisco gear which says that transport mode only works when the tunnel ... Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the ... Training features 6 hand-on courses on May 12-13 taught by professionals. ...
(Security-Basics)