Encapsulation modes
IPSec can work in the following two modes:
Tunnel mode: The whole IP packet is used to calculate the AH/ESP header,
■
which will be encapsulated into a new IP packet together with the
ESP-encrypted data. Generally, tunnel mode is used for communication
between two security gateways.
Transport mode: Only the transport layer data is used to calculate the AH/ESP
■
header, which will be put after the original IP packet and before the
ESP-encrypted data. Generally, transport mode is used for communication
between two hosts or a host and a security gateway.
Figure 550
illustrates how data are encapsulated by different security protocols in
tunnel and transport modes. Here, the term data refers to the transport layer data.
Figure 550 Encapsulation by security protocols in different modes
Mode
Protocol
AH
IP
AH
ESP
IP
ESP
AH-ESP
IP
AH
Authentication algorithms and encryption algorithms
1 Authentication algorithms
Authentication algorithms are implemented through hash functions. A hash
function takes a message of arbitrary length and generates a message digest of
fixed length. IPSec peers calculate the message digests respectively. If the resulting
digests are identical, the packet is considered intact and not tampered.
There are two types of IPSec authentication algorithms:
MD5: Takes a message of arbitrary length and generates a 128-bit message
■
digest.
SHA-1: Takes a message of a length less than the 64th power of 2 in bits and
■
generates a 160-bit message digest.
MD5 is faster than SHA-1, yet SHA-1 provides higher security than MD5.
2 Encryption algorithms
Most encryption algorithms depend on symmetric key systems, which decrypt data
by using the same keys for encryption. Currently, three encryption algorithms are
available for IPSec on the device:
DES: Data encryption standard, encrypts a 64-bit block of plain text with a
■
56-bit key.
3DES: Triple DES, encrypts a plain text with three 56-bit DES keys, which total
■
up to 168 bits.
Transport
Data
IP
Data
ESP-T
IP
ESP
Data
ESP-T
IP
IPSec Overview
Tunnel
AH IP
Data
ESP IP
Data
ESP-T
AH
ESP
IP
Data
ESP-T
1879