This preview shows page 1. Sign up to view the full content.
Unformatted text preview: Payload
Data New IP
ESP Inner IP
Header Inner IP
Header Original Header
Data IPsec Confidentiality Original Header
Data Authentication / Integrity Authentication / Integrity VPN Payload
Data Authentication / Integrity Authentication / Integrity Transport
IP Header IKE v2 TLS M. Mogollon – 01/08 - 21 • AH and ESP support two modes of operation: the transport mode and the tunnel mode. A
transport mode SA is a security association between two hosts. When a security gateway works
in transport mode, it acts as a host: the traffic is destined for itself. A tunnel mode SA is a
security association between a host and a gateway or between two gateways.
• Transport mode is used to protect upper-layer protocols. Tunnel mode is used to protect entire IP
packets, meaning that the entire IP packet is encapsulated in another IP packet, and a new IP
header is inserted between the outer and inner IP headers.
• In a transport mode, the security protocol header appears immediately after the Original IP
header and before Payload Data (any higher layer protocols, e.g., TCP or UDP and Data). In
ESP transport mode, SA provides security services only for the higher layer protocols, not for the
Original IP Header or any extension headers preceding the ESP header. In the case of AH, the
protection is extended to the Original IP Header.
• For a tunnel mode SA, an “outer” header specifies the IPsec end-point and processing
destination, plus an "inner" header that specifies the (apparently) ultimate destination for the
packet. The security protocol header appears after the outer IP header, and before the inner IP
header. If AH is employed in tunnel mode, portions of the outer IP header are afforded
protection (as above), as well as all of the tunneled IP packets, i.e., all of the inner IP header is
protected, as well as higher layer protocols. If ESP is employed, the protection is afford...
View Full Document
- Spring '10