[prev in list] [next in list] [prev in thread] [next in thread] 

List:       security-basics
Subject:    Re: IPSEC Tunnel vs Transport Mode
From:       Mark Reardon <riscorp () mindspring ! com>
Date:       2003-04-24 12:08:49
[Download RAW message or body]

Tunnel mode normally runs between two routers. The router at each end takes all \
traffic destined to the other router and sends it into the tunnel. This means that it \
puts it does all the security work and then puts it in a new IP packet with the \
remote router's IP address as the destination.

Some people show this with this diagram (NEW IP HDR : secured payload( original IP \
HDR, IP payload)).

Tunnel mode works well when you are connecting two offices over a non-secure network. \
The only item exposed is the IP header used to navigate across the non-secure \
network.

Transport mode is designed to work between two servers. It is represented something \
like (IP HDR : secured IP payload).

The IP header is left exposed since if you secure it, you just have to duplicate it \
to get the IP routing to work between the two servers. There is no benefit and it is \
more efficient to not do it. Since the IP payload is the transport layer, this was \
called transport mode.

Cisco's issue is that if a router runs IPSec, it needs the internal IP header to \
finish routing a received packet. The original IP header had the router as the \
destination. If you are in transport mode, there isn't another header to use. If you \
are in tunnel mode, the protected header is used.

I hope that helps.

Mark


-------Original Message-------
From: Robin Atler <ratler@enter.net>
Sent: 04/23/03 09:51 AM
To: security-basics@securityfocus.com
Subject: IPSEC Tunnel vs Transport Mode

> 
> 

I'm setting up a VPN.  I've read some documentation that states, rather 
generically, that IPSEC tunnels can run in either tunnel or transport 
mode.  Transport mode simply protects the message contents while tunnel 
mode protects the message contents and the original IP headers.  I'm using 

Cisco gear which says that transport mode only works when the tunnel 
endpoints are the conversing devices.  This doesn't seem quite right to me 

and I don't understand why that would be required.  Can anyone explain 
that or is paticular behavior this simply a
"cisco-ism"?

---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the 
world's premier event for IT and network security experts.  The two-day 
Training features 6 hand-on courses on May 12-13 taught by professionals.  

The two-day Briefings on May 14-15 features 24 top speakers with no vendor 

sales pitches.  Deadline for the best rates is April 25.  Register today
to 
ensure your place.  <a target=_blank
href="http://www.securityfocus.com/BlackHat-security-basics">http://www.securityfocus.com/BlackHat-security-basics</a>


----------------------------------------------------------------------------

> 

----
Mark Reardon
Reardon Information Security Corporation
156 Blue Sky Drive
Marietta, GA 30068
(770) 565-0544
(404) 444-0041 cell

---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the 
world's premier event for IT and network security experts.  The two-day 
Training features 6 hand-on courses on May 12-13 taught by professionals.  
The two-day Briefings on May 14-15 features 24 top speakers with no vendor 
sales pitches.  Deadline for the best rates is April 25.  Register today to 
ensure your place.  http://www.securityfocus.com/BlackHat-security-basics 
----------------------------------------------------------------------------


[prev in list] [next in list] [prev in thread] [next in thread]