and 2 others joined a min ago.
1
63kviews
Differentiate between the transport mode and tunnel mode of IP Sec and explain how authentication and confidentiality are achieved using IP Sec.
1 Answer
8
2.3kviews
written 7.3 years ago by
teamques10
★ 64k
|
| Transport mode | Tunnel mode |
|---|---|
| Here end hosts do IPsec encapsulation of their own data; hence IPsec needs to implemented on each end-hosts | IPsec gateways provide service to other hosts in peer-to-peer tunnels; hence the end-hosts don’t need IPsec. |
| Lower overhead than tunnel mode | More overhead required |
| No edits on IP header | The entire packet is hashed or encrypted; IP header is applied to the packet during transit. |
| Used in securing communication from one device to another. | Used to tunnel traffic from one site to another |
| It is good for ESP host-to-host traffic | It is good for VPNs, gateway-to-gateway security. |
| Provides protection primarily to upper layer protocols | Provides protection to entire IP packet |
| AH in transport mode authenticates the IP payload and selected portions of IP header. | AH in tunnel mode authenticates the entire inner IP packet and selected portions of the outer IP header. |
| ESP in transport mode encrypts and optionally authenticates the IP payload but not the IP header. | ESP in tunnel mode encrypts and optionally authenticates the entire inner IP packet, including the inner IP header. |
Authentication is provided by Authentication Header (AH)
- The AH provides source authentication. It protects against source spoofing.
- The AH protects against replay attacks by using monotonically increasing sequence numbers.
- But it cannot provide confidentiality.
- The AH header format is shown aside:
- Next header $\rightarrow$ type of header immediately following this header (e.g., TCP, IP, etc.)
- Payload length $\rightarrow$ length of AH (in 32 bit words) minus 2
- Security Parameters Index $\rightarrow$ identifies the SA used to generate this header
- Sequence number $\rightarrow$ sequence o Sequence number $\rightarrow$ sequence number of the packet
- Authentication data $\rightarrow$ a (truncated) MAC (default length is 3x32 bits)
Confidentiality is achieved using encapsulating security payload (ESP):
The header format of ESP is given as:
- Security Parameters Indexidentifies the SA used to generate this encrypted packet
- Sequence number
- Payload $\rightarrow$ transport level segment (transfer mode) or encapsulated IP packet (tunnel mode)
- Padding $\rightarrow$ variable length padding
- Pad length
- Next header $\rightarrow$ identifies the type of data contained in the header
- Authentication data $\rightarrow$ a (truncated) MAC computed over the ESP packet
ADD COMMENT
EDIT
Please log in to add an answer.