Security Basics mailing list archives
Re: IPSEC Tunnel vs Transport Mode
From: Mark Reardon <riscorp () mindspring com>
Date: Thu, 24 Apr 2003 08:08:49 -0400 (GMT)
Tunnel mode normally runs between two routers. The router at each end takes all traffic destined to the other router and sends it into the tunnel. This means that it puts it does all the security work and then puts it in a new IP packet with the remote router's IP address as the destination. Some people show this with this diagram (NEW IP HDR : secured payload( original IP HDR, IP payload)). Tunnel mode works well when you are connecting two offices over a non-secure network. The only item exposed is the IP header used to navigate across the non-secure network. Transport mode is designed to work between two servers. It is represented something like (IP HDR : secured IP payload). The IP header is left exposed since if you secure it, you just have to duplicate it to get the IP routing to work between the two servers. There is no benefit and it is more efficient to not do it. Since the IP payload is the transport layer, this was called transport mode. Cisco's issue is that if a router runs IPSec, it needs the internal IP header to finish routing a received packet. The original IP header had the router as the destination. If you are in transport mode, there isn't another header to use. If you are in tunnel mode, the protected header is used. I hope that helps. Mark -------Original Message------- From: Robin Atler <ratler () enter net> Sent: 04/23/03 09:51 AM To: security-basics () securityfocus com Subject: IPSEC Tunnel vs Transport Mode
I'm setting up a VPN. I've read some documentation that states, rather generically, that IPSEC tunnels can run in either tunnel or transport mode. Transport mode simply protects the message contents while tunnel mode protects the message contents and the original IP headers. I'm using Cisco gear which says that transport mode only works when the tunnel endpoints are the conversing devices. This doesn't seem quite right to me and I don't understand why that would be required. Can anyone explain that or is paticular behavior this simply a "cisco-ism"? --------------------------------------------------------------------------- Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the world's premier event for IT and network security experts. The two-day Training features 6 hand-on courses on May 12-13 taught by professionals. The two-day Briefings on May 14-15 features 24 top speakers with no vendor sales pitches. Deadline for the best rates is April 25. Register today to ensure your place. <a target=_blank href="http://www.securityfocus.com/BlackHat-security-basics">http://www.securityfocus.com/BlackHat-security-basics</a> ----------------------------------------------------------------------------
---- Mark Reardon Reardon Information Security Corporation 156 Blue Sky Drive Marietta, GA 30068 (770) 565-0544 (404) 444-0041 cell --------------------------------------------------------------------------- Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the world's premier event for IT and network security experts. The two-day Training features 6 hand-on courses on May 12-13 taught by professionals. The two-day Briefings on May 14-15 features 24 top speakers with no vendor sales pitches. Deadline for the best rates is April 25. Register today to ensure your place. http://www.securityfocus.com/BlackHat-security-basics ----------------------------------------------------------------------------
Current thread:
- IPSEC Tunnel vs Transport Mode Robin Atler (Apr 23)
- RE: IPSEC Tunnel vs Transport Mode David Gillett (Apr 24)
- <Possible follow-ups>
- RE: IPSEC Tunnel vs Transport Mode Naman Latif (Apr 24)
- RE: IPSEC Tunnel vs Transport Mode Schouten, Diederik (Diederik) (Apr 24)
- Re: IPSEC Tunnel vs Transport Mode Mark Reardon (Apr 24)