Security Basics mailing list archives

RE: IPSEC Tunnel vs Transport Mode

From: "David Gillett" <gillettdavid () fhda edu>
Date: Wed, 23 Apr 2003 09:09:26 -0700

-----Original Message-----
From: Robin Atler [mailto:ratler () enter net]
Sent: April 23, 2003 06:51
To: security-basics () securityfocus com
Subject: IPSEC Tunnel vs Transport Mode

I'm setting up a VPN.  I've read some documentation that 
states, rather  generically, that IPSEC tunnels can run in 
either tunnel or transport  mode.  Transport mode simply 
protects the message contents while tunnel  mode protects the 
message contents and the original IP headers.  I'm using  
Cisco gear which says that transport mode only works when the 
tunnel  endpoints are the conversing devices.  This doesn't 
seem quite right to me  and I don't understand why that would 
be required.  Can anyone explain  that or is particular 
behavior this simply a "cisco-ism"?


  In transport mode, host A encrypts the content of all packets
it sends to host B, and host B decrypts them and encrypts its
responses.  Since only the content is encrypted, the packet sizes
and traffic volumes don't change.
  In tunnel mode, the packets *including headers* are encrypted,
and these form the contents for packets with a new set of headers.
There's some traffic overhead; since the packets are encapsulated,
things like TTL don't update as they traverse the tunnel.

  I think the reason you can't have two routers speak transport mode
between them, transparently, is that encrypting the packet contents
changes things like checksums, and so you no longer have an end-to-end
verification that the contents were not corrupted.  Although that's
a case of "only makes sense when" rather than "only works when", so
maybe there's an additional factor I'm overlooking.

David Gillett



---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the 
world's premier event for IT and network security experts.  The two-day 
Training features 6 hand-on courses on May 12-13 taught by professionals.  
The two-day Briefings on May 14-15 features 24 top speakers with no vendor 
sales pitches.  Deadline for the best rates is April 25.  Register today to 
ensure your place.  http://www.securityfocus.com/BlackHat-security-basics 
----------------------------------------------------------------------------

Current thread:

IPSEC Tunnel vs Transport Mode Robin Atler (Apr 23)
- RE: IPSEC Tunnel vs Transport Mode David Gillett (Apr 24)
- <Possible follow-ups>
- RE: IPSEC Tunnel vs Transport Mode Naman Latif (Apr 24)
- RE: IPSEC Tunnel vs Transport Mode Schouten, Diederik (Diederik) (Apr 24)
- Re: IPSEC Tunnel vs Transport Mode Mark Reardon (Apr 24)