Security Basics mailing list archives
RE: IPSEC Tunnel vs Transport Mode
From: "Naman Latif" <naman.latif () inamed com>
Date: Wed, 23 Apr 2003 09:47:45 -0700
I am assuming that your network would be Host PC<--->Security Gateway-1====IPSEC Tunnel====Security Gateway2<---->HostPC Since the Tunnel Endpoints in this case are the Security Gateways i.e. they are transiting traffic (flowing from Host1 to Host2 etc). The SA's would be created between the "two security gateways" and NOT "the two hosts".The requirement for creating a SA include Destination address (of the remote IPSec endpoint), SPI, IPSec transforms etc. So Security Gateway-1 has to attach its own IP Header (with its own Source Address and Security-Gateway2's destination address) to successfully create a SA. In order to protect the original IP Header (Which would be restored at Security Gateway2), the Tunnel Mode has to be used, which would protect the original IP Datagram and add its own IP Header in addition to ESP headers etc. RFC-2401, Sec 4.1 ++++++++++++++ As noted above, two types of SAs are defined: transport mode and tunnel mode. A transport mode SA is a security association between two hosts. In IPv4, a transport mode security protocol header appears immediately after the IP header and any options, and before any higher layer protocols (e.g., TCP or UDP). In IPv6, the security protocol header appears after the base IP header and extensions, but may appear before or after destination options, and before higher layer protocols. In the case of ESP, a transport mode SA provides security services only for these higher layer protocols, not for the IP header or any extension headers preceding the ESP header. In the case of AH, the protection is also extended to selected portions of the IP header, selected portions of extension headers, and selected options (contained in the IPv4 header, IPv6 Hop-by-Hop extension header, or IPv6 Destination extension headers). For more details on the coverage afforded by AH, see the AH specification [KA98a]. A tunnel mode SA is essentially an SA applied to an IP tunnel. Whenever either end of a security association is a security gateway, the SA MUST be tunnel mode. Thus an SA between two security gateways is always a tunnel mode SA, as is an SA between a host and a security gateway. Note that for the case where traffic is destined for a security gateway, e.g., SNMP commands, the security gateway is acting as a host and transport mode is allowed. But in that case, the security gateway is not acting as a gateway, i.e., not transiting traffic. Two hosts MAY establish a tunnel mode SA between themselves. The requirement for any (transit traffic) SA involving a security gateway to be a tunnel SA arises due to the need to avoid potential problems with regard to fragmentation and reassembly of IPsec packets, and in circumstances where multiple paths (e.g., via different security gateways) exist to the same destination behind the security gateways. ++++++++++++++++++++++ Regards \\ Naman
-----Original Message----- From: Robin Atler [mailto:ratler () enter net] Sent: Wednesday, April 23, 2003 6:51 AM To: security-basics () securityfocus com Subject: IPSEC Tunnel vs Transport Mode
--------------------------------------------------------------------------- Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the world's premier event for IT and network security experts. The two-day Training features 6 hand-on courses on May 12-13 taught by professionals. The two-day Briefings on May 14-15 features 24 top speakers with no vendor sales pitches. Deadline for the best rates is April 25. Register today to ensure your place. http://www.securityfocus.com/BlackHat-security-basics ----------------------------------------------------------------------------
Current thread:
- IPSEC Tunnel vs Transport Mode Robin Atler (Apr 23)
- RE: IPSEC Tunnel vs Transport Mode David Gillett (Apr 24)
- <Possible follow-ups>
- RE: IPSEC Tunnel vs Transport Mode Naman Latif (Apr 24)
- RE: IPSEC Tunnel vs Transport Mode Schouten, Diederik (Diederik) (Apr 24)
- Re: IPSEC Tunnel vs Transport Mode Mark Reardon (Apr 24)