RE: IPSEC Tunnel vs Transport Mode

["Naman Latif" <naman.latif () inamed com>]

I am assuming that your network would be

Host PC<--->Security Gateway-1====IPSEC Tunnel====Security
Gateway2<---->HostPC

Since the Tunnel Endpoints in this case are the Security Gateways i.e.
they are transiting traffic (flowing from Host1 to Host2 etc).
The SA's would be created between the "two security gateways" and NOT
"the two hosts".The requirement for creating a SA include Destination
address (of the remote IPSec endpoint), SPI, IPSec transforms etc.

So Security Gateway-1 has to attach its own IP Header (with its own
Source Address and Security-Gateway2's destination address) to
successfully create a SA.
In order to protect the original IP Header (Which would be restored at
Security Gateway2), the Tunnel Mode has to be used, which would protect
the original IP Datagram and add its own IP Header in addition to ESP
headers etc. 


RFC-2401, Sec 4.1

++++++++++++++
As noted above, two types of SAs are defined: transport mode and
   tunnel mode.  A transport mode SA is a security association between
   two hosts.  In IPv4, a transport mode security protocol header
   appears immediately after the IP header and any options, and before
   any higher layer protocols (e.g., TCP or UDP).  In IPv6, the security
   protocol header appears after the base IP header and extensions, but
   may appear before or after destination options, and before higher
   layer protocols.  In the case of ESP, a transport mode SA provides
   security services only for these higher layer protocols, not for the
   IP header or any extension headers preceding the ESP header.  In the
   case of AH, the protection is also extended to selected portions of
   the IP header, selected portions of extension headers, and selected
   options (contained in the IPv4 header, IPv6 Hop-by-Hop extension
   header, or IPv6 Destination extension headers).  For more details on
   the coverage afforded by AH, see the AH specification [KA98a].

   A tunnel mode SA is essentially an SA applied to an IP tunnel.
   Whenever either end of a security association is a security gateway,
   the SA MUST be tunnel mode.  Thus an SA between two security gateways
   is always a tunnel mode SA, as is an SA between a host and a security
   gateway.  Note that for the case where traffic is destined for a
   security gateway, e.g., SNMP commands, the security gateway is acting
   as a host and transport mode is allowed.  But in that case, the
   security gateway is not acting as a gateway, i.e., not transiting
   traffic.  Two hosts MAY establish a tunnel mode SA between
   themselves.  The requirement for any (transit traffic) SA involving a
   security gateway to be a tunnel SA arises due to the need to avoid
   potential problems with regard to fragmentation and reassembly of
   IPsec packets, and in circumstances where multiple paths (e.g., via
   different security gateways) exist to the same destination behind the
   security gateways.
++++++++++++++++++++++


Regards \\ Naman


> -----Original Message-----
> From: Robin Atler [mailto:ratler () enter net] 
> Sent: Wednesday, April 23, 2003 6:51 AM
> To: security-basics () securityfocus com
> Subject: IPSEC Tunnel vs Transport Mode

---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the
world's premier event for IT and network security experts.  The two-day
Training features 6 hand-on courses on May 12-13 taught by professionals.
The two-day Briefings on May 14-15 features 24 top speakers with no vendor
sales pitches.  Deadline for the best rates is April 25.  Register today to
ensure your place.  http://www.securityfocus.com/BlackHat-security-basics
----------------------------------------------------------------------------