RE: IPSec Passthrough

["Subrata Goswami" <sgoswami@umich.edu>]

Transport Mode and Tunnel Mode are also different in how fragmentation
is handled. A Transport Mode ESP implementation needs to have its own
fragmentation function as per RFC 2401.

Subrata
 

> -----Original Message-----
> From: owner-ipsec@lists.tislabs.com 
> [mailto:owner-ipsec@lists.tislabs.com] On Behalf Of Stephen Kent
> Sent: Friday, May 02, 2003 11:41 AM
> To: Joshua Graessley
> Cc: ipsec@lists.tislabs.com
> Subject: Re: IPSec Passthrough
> 
> 
> >
> >There are two "modes" that IPSec operates in, tunnel mode and
> >transport mode. This is, in my opinion, a little bogus because 
> >"tunnel mode" is really just transport mode where the next header is 
> >an IP header instead of UDP, TCP, ICMP or some other protocol. 
> >Anyhow, the NAT transparency only works with Tunnel mode (where the 
> >next header after the ESP header is IP). In transport mode, the TCP 
> >and UDP checksums will be screwed up. ESP encrypts and authenticates 
> >the payload so the NAT can't molest it. The UDP and TCP checksums 
> >take bits of the IP header in to account, most notably the source 
> >and destination IP addresses. The NAT modifies the destination IP 
> >address. Since it can't see or modify the TCP or UDP checksum to 
> >compensate for the address change, TCP and UDP packets will be 
> >dropped due to a bad checksum.
> 
> Josh,
> 
> Tunnel and transport mode differ in several ways that make them more 
> different that what you suggest above, for example:
> 
> 	- in tunnel mode we discard the outer IP header, whereas in 
> transport mode we don't discard anything from the inbound packet
> 
> 	- the modes differ in terms of which headers are checked for 
> inbound access control (the topic of a recent thread on this list)
> 
> Steve
>