Read this whole guide offline with no ads, for a low price!
Click Here!
Use coupon code "certiguide" to save 20%!
(Expires 2004/12/31)

Need more practice? 300 additional Security+ questions!
Get It Here!

Custom Search







Table Of Contents  CertiGuide to Security+
 9  Chapter 2:  Communication Security (Domain 2.0; 20%)
      9  2.1  Remote Access
           9  2.1.7  IPSEC

Previous Topic/Section
IPSec Packet Types
Previous Page
Pages in Current Topic/Section
1
Next Page
IPSec and Encryption
Next Topic/Section

IPSec Transport and Tunnel Modes

IPSec supports Transport and Tunnel modes for encryption. The “Transport” mode encrypts only the data portion of the encapsulated packet, while the “Tunnel” mode encrypts both the data and the header portions of the encapsulated packet hiding more information about the underlying communications159.

A typical transport-mode packet looks like Figure 19.

Figure 19: A Simplified comparison of IP V4 and IPSec Transport mode. A more detailed drawing would be: IP Header + AH Header + ESP header + TCP/UDP header + payload + IPSec ESP trailer + IPSec ESP Auth.

 


The “Tunnel” mode is most commonly used to encapsulate existing IP traffic for communication between hosts on networks connected by IPSec-enabled routers. With routers doing the IPSec encapsulation, no changes are required to software or drivers on the hosts – the IPSec encryption is effectively transparent.

A typical tunnel-mode packet looks like Figure 20.

Figure 20: A Simplified comparison of IP V4 and IPSec Tunnel mode. A more detailed drawing would be: Transit IP header + IPSec ESP header + original IP header + TCP/UDP header + payload + IPSec ESP trailer + IPSec ESP Auth.

 


The flexibility of IPSec provides for connecting multiple sites in secure VLAN using VPN technologies, or a road warrior to connect in transport mode where the road warrior doesn’t have control over a router and the tunneling mode would fail. Because IPSec creates an SA for both sending and receiving, each SA can be a different mode.

For a concise, clear explanation of IPSec on Windows 2000 networks, check out Configuring Windows 2000 Server Security160.

IPSec Transport or Tunnel

IPSec can be used in either transport or tunnel modes.

Transport mode encrypts only the data portion of the packet and can be used with non-IPSec-enabled routers, or between a server and a client, so it is useful for allowing road warriors to connect the corporate network via public networks; the use is generally not transparent to client system, due to the need for IPSec to be installed and properly configured on the client.

Tunnel
mode encrypts both data and header, providing more communication privacy; since tunnel mode can be implemented between cooperating IPSec-enabled routers, the use of IPSec in tunnel mode can be transparent to client systems.



 __________________

159. http://www.howstuffworks.com/vpn3.htm

160. Shinder, Thomas W., Debra Littlejohn Shinder, D. Lynn White, Configuring Windows 2000 Server Security, Syngress, January, 2000, http://www.nerdbooks.com/item.html?id=1928994024

Previous Topic/Section
IPSec Packet Types
Previous Page
Pages in Current Topic/Section
1
Next Page
IPSec and Encryption
Next Topic/Section

If you find CertiGuide.com useful, please consider making a small Paypal donation to help the site, using one of the buttons below. You can also donate a custom amount using the far right button (not less than $1 please, or PayPal gets most/all of your money!) In lieu of a larger donation, you may wish to consider buying an inexpensive PDF equivalent of the CertiGuide to Security+ from StudyExam4Less.com. (Use coupon code "certiguide" by December 31, 2004 to save 20%!) Thanks for your support!
Donate $2
Donate $5
Donate $10
Donate $20
Donate $30
Donate: $



Home - Table Of Contents - Contact Us

CertiGuide for Security+ (http://www.CertiGuide.com/secplus/) on CertiGuide.com
Version 1.0 - Version Date: November 15, 2004

Adapted with permission from a work created by Tcat Houser et al.
CertiGuide.com Version Copyright 2004 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.