[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: RFC 2401 section 5.2.1
Awan Kumar Sharma wrote:
>
> Hi,
> For the past few days, I have seen lots of discussion on the relevance of
> transport and tunnel modes. Although I am not working on these protocols for
> a very long time, but I see no reason for the relevance of transport mode
> over the tunnel mode. The reason being:
>
> 1) Ref : RFC 2401, Section 4.1 Definition and scope.
> It says
> "In IPv4, a transport mode security protocol header
> appears immediately after the IP header and any options, and before
> any higher layer protocols (e.g., TCP or UDP)".
>
> i.e. In transport mode, the packet will look like [IP][ESP][HLP].
> Here I have taken ESP as an example.
> Now we see that in this case, ESP will encrypt *only* [HLP] and thus IP is
> not protected i.e. encrypted. Even if we select authentication in ESP, the
> IP header is not protected.
>
> About Tunnel Mode, RFC 2401 says,
> "The security protocol header appears after the outer IP header, and
> before the inner IP header".
>
> i.e. In Tunnel Mode, the packet will look like [outer
> IP][ESP][InnerIP][HLP].
> Now we see that ESP can encrypt the inner IP packet thus maintaining its
> confidentiality. If authentication in ESP is used, the inner IP header is
> fully authenticated also. And I think a security protocol should work in
> this manner.
>
> So, having this argument, I see no reason for Transport mode being more
> relevant than the Tunnel Mode.
> Any suggestion/correction in this regard is most welcome.
We've been considering the transport case where [HLP] ==
"[InnerIP][HLP]"
I.e., transport mode does not exclude the use of IP as its content data.
> 2) Now taking up the argument that transport mode with tunneling is same as
> Tunnel mode in IPSec.
> The tunneled transport mode protected packet will look like :
> [OuterIP][InnerIP][ESP][HLP].
The idea is to tunnel THEN do transport encryption, resulting in:
[OuterIP][ESP][InnerIP][HLP]
> If my first point is correct, then we can see the extent of coverage in
> this case on the same lines as before and compare it with the Tunnel mode
> protected packet, which will look like,
> [OuterIP][ESP][InnerIP][HLP].
As you can see, they now match.
For more information, see draft-touch-ipsec-vpn-00.txt
Joe
References: