IPsec Modes
IPSec operates in two different modes: Transport mode (host-to-host) and Tunnel mode (gateway-to-gateway or gateway-to-host).- Transport mode: the IPv6 header of the original packet is used, followed by the AH or ESP header, then the payload.
Tunnel mode: a new IPv6 header encapsulates the AH or ESP header and the original IP header and payload.
Transport mode is more flexible than tunnel mode operation. However, transport mode is more complex in terms of secure channel setup procedure and administration that results in its limited deployment. In transport mode, IPsec must be properly configured in every node that is on the network and wanting to communicate securely. In comparison, tunnel mode is simpler and is usually accomplished by means of a Virtual Private Network (VPN). Tunnel mode setup procedure reduces the complexity to the setup of security gateways only, and the establishment of secure channels between them.
Tunnel
Mode forms the more familiar VPN functionality, where entire IP
packets are encapsulated inside another and delivered to the
destination.
This is commonly used to connect
branch offices with company headquarters, allowing all users to share
sensitive resources without fear of interception.
Clearly,
a secure VPN requires both authentication and
encryption. We know that ESP is the only way to provide encryption,
but ESP and AH both can provide authentication:
No comments:
Post a Comment