session_09_vpn__ipsec__and_tls_101908

Mogollon 0108 21 ah and esp support two modes of

Info iconThis preview shows page 1. Sign up to view the full content.

View Full Document Right Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: Payload Data New IP Header Confidentiality Header ESP Inner IP Header Inner IP Header Original Header IP Header AH Payload Data IPsec Confidentiality Original Header IP Header ESP Payload Data Authentication / Integrity Authentication / Integrity VPN Payload Data Authentication / Integrity Authentication / Integrity Transport Mode Original IP Header IKE v2 TLS M. Mogollon – 01/08 - 21 • AH and ESP support two modes of operation: the transport mode and the tunnel mode. A transport mode SA is a security association between two hosts. When a security gateway works in transport mode, it acts as a host: the traffic is destined for itself. A tunnel mode SA is a security association between a host and a gateway or between two gateways. • Transport mode is used to protect upper-layer protocols. Tunnel mode is used to protect entire IP packets, meaning that the entire IP packet is encapsulated in another IP packet, and a new IP header is inserted between the outer and inner IP headers. • In a transport mode, the security protocol header appears immediately after the Original IP header and before Payload Data (any higher layer protocols, e.g., TCP or UDP and Data). In ESP transport mode, SA provides security services only for the higher layer protocols, not for the Original IP Header or any extension headers preceding the ESP header. In the case of AH, the protection is extended to the Original IP Header. • For a tunnel mode SA, an “outer” header specifies the IPsec end-point and processing destination, plus an "inner" header that specifies the (apparently) ultimate destination for the packet. The security protocol header appears after the outer IP header, and before the inner IP header. If AH is employed in tunnel mode, portions of the outer IP header are afforded protection (as above), as well as all of the tunneled IP packets, i.e., all of the inner IP header is protected, as well as higher layer protocols. If ESP is employed, the protection is afford...
View Full Document

Ask a homework question - tutors are online