Re: IPSEC Tunnel vs Transport Mode

[Mark Reardon <riscorp () mindspring com>]

Tunnel mode normally runs between two routers. The router at each end takes all traffic destined to the other router 
and sends it into the tunnel. This means that it puts it does all the security work and then puts it in a new IP packet 
with the remote router's IP address as the destination.

Some people show this with this diagram (NEW IP HDR : secured payload( original IP HDR, IP payload)).

Tunnel mode works well when you are connecting two offices over a non-secure network. The only item exposed is the IP 
header used to navigate across the non-secure network.

Transport mode is designed to work between two servers. It is represented something like (IP HDR : secured IP payload).

The IP header is left exposed since if you secure it, you just have to duplicate it to get the IP routing to work 
between the two servers. There is no benefit and it is more efficient to not do it. Since the IP payload is the 
transport layer, this was called transport mode.

Cisco's issue is that if a router runs IPSec, it needs the internal IP header to finish routing a received packet. The 
original IP header had the router as the destination. If you are in transport mode, there isn't another header to use. 
If you are in tunnel mode, the protected header is used.

I hope that helps.

Mark


-------Original Message-------
From: Robin Atler <ratler () enter net>
Sent: 04/23/03 09:51 AM
To: security-basics () securityfocus com
Subject: IPSEC Tunnel vs Transport Mode

>

I'm setting up a VPN.  I've read some documentation that states, rather 
generically, that IPSEC tunnels can run in either tunnel or transport 
mode.  Transport mode simply protects the message contents while tunnel 
mode protects the message contents and the original IP headers.  I'm using 

Cisco gear which says that transport mode only works when the tunnel 
endpoints are the conversing devices.  This doesn't seem quite right to me 

and I don't understand why that would be required.  Can anyone explain 
that or is paticular behavior this simply a
"cisco-ism"?

---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the 
world's premier event for IT and network security experts.  The two-day 
Training features 6 hand-on courses on May 12-13 taught by professionals.  

The two-day Briefings on May 14-15 features 24 top speakers with no vendor 

sales pitches.  Deadline for the best rates is April 25.  Register today
to 
ensure your place.  <a target=_blank
href="http://www.securityfocus.com/BlackHat-security-basics";>http://www.securityfocus.com/BlackHat-security-basics</a>

----------------------------------------------------------------------------

>

----
Mark Reardon
Reardon Information Security Corporation
156 Blue Sky Drive
Marietta, GA 30068
(770) 565-0544
(404) 444-0041 cell

---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the 
world's premier event for IT and network security experts.  The two-day 
Training features 6 hand-on courses on May 12-13 taught by professionals.  
The two-day Briefings on May 14-15 features 24 top speakers with no vendor 
sales pitches.  Deadline for the best rates is April 25.  Register today to 
ensure your place.  http://www.securityfocus.com/BlackHat-security-basics 
----------------------------------------------------------------------------