Table of Contents
Advertisement
In transport mode the original IP header remains the outer header. The
security header is placed between the IP header and the IP payload. This mode
offers some light bandwidth savings, at the expense of exposing the original
IP header to third party elements in the packet path. It is generally used by
hosts—communication end-points. It can be used by routers if they are acting
as communication end-points.
In tunnel mode, the original IP datagram is placed inside a new datagram, and
AH and/or ESP are inserted between the IP header of the new packet and the
original IP datagram. The new header points to the tunnel endpoint, and the
original header points to the final destination of the datagram. Tunnel mode
offers the advantage of complete protection of the encapsulated datagram and
the possibility to use private/public address space. Tunnel mode is meant to be
used by routers—gateways. Hosts can operate in tunnel mode too.
With IPsec transport mode:
!
IP header
IP header
!
Voyager Reference Guide
If AH is used, selected portions of the original IP header and the data
payload are authenticated.
If ESP is used, no protection is offered to the IP header, but data payload
is authenticated and can be encrypted.
AH
AH
Payload
Payload
Authenticated
00126
587
Advertisement
Table of Contents
