Security Basics mailing list archives
RE: IPSEC Tunnel vs Transport Mode
From: "David Gillett" <gillettdavid () fhda edu>
Date: Wed, 23 Apr 2003 09:09:26 -0700
-----Original Message----- From: Robin Atler [mailto:ratler () enter net] Sent: April 23, 2003 06:51 To: security-basics () securityfocus com Subject: IPSEC Tunnel vs Transport Mode I'm setting up a VPN. I've read some documentation that states, rather generically, that IPSEC tunnels can run in either tunnel or transport mode. Transport mode simply protects the message contents while tunnel mode protects the message contents and the original IP headers. I'm using Cisco gear which says that transport mode only works when the tunnel endpoints are the conversing devices. This doesn't seem quite right to me and I don't understand why that would be required. Can anyone explain that or is particular behavior this simply a "cisco-ism"?
In transport mode, host A encrypts the content of all packets it sends to host B, and host B decrypts them and encrypts its responses. Since only the content is encrypted, the packet sizes and traffic volumes don't change. In tunnel mode, the packets *including headers* are encrypted, and these form the contents for packets with a new set of headers. There's some traffic overhead; since the packets are encapsulated, things like TTL don't update as they traverse the tunnel. I think the reason you can't have two routers speak transport mode between them, transparently, is that encrypting the packet contents changes things like checksums, and so you no longer have an end-to-end verification that the contents were not corrupted. Although that's a case of "only makes sense when" rather than "only works when", so maybe there's an additional factor I'm overlooking. David Gillett --------------------------------------------------------------------------- Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the world's premier event for IT and network security experts. The two-day Training features 6 hand-on courses on May 12-13 taught by professionals. The two-day Briefings on May 14-15 features 24 top speakers with no vendor sales pitches. Deadline for the best rates is April 25. Register today to ensure your place. http://www.securityfocus.com/BlackHat-security-basics ----------------------------------------------------------------------------
Current thread:
- IPSEC Tunnel vs Transport Mode Robin Atler (Apr 23)
- RE: IPSEC Tunnel vs Transport Mode David Gillett (Apr 24)
- <Possible follow-ups>
- RE: IPSEC Tunnel vs Transport Mode Naman Latif (Apr 24)
- RE: IPSEC Tunnel vs Transport Mode Schouten, Diederik (Diederik) (Apr 24)
- Re: IPSEC Tunnel vs Transport Mode Mark Reardon (Apr 24)