Academic Integrity: tutoring, explanations, and feedback — we don’t complete graded work or submit on a student’s behalf.

1-Show the differences between transport mode and tunnel mode in which the IPsec

ID: 3712266 • Letter: 1

Question

1-Show the differences between transport mode and tunnel mode in which the IPsec ESP service can be used. 2- Explain all services that provided by ESP of IPSEC. 3- show the format of an ESP packet, with all fields. 1-Show the differences between transport mode and tunnel mode in which the IPsec ESP service can be used. 2- Explain all services that provided by ESP of IPSEC. 3- show the format of an ESP packet, with all fields. 1-Show the differences between transport mode and tunnel mode in which the IPsec ESP service can be used. 2- Explain all services that provided by ESP of IPSEC. 3- show the format of an ESP packet, with all fields.

Explanation / Answer

1)Answer:

Tunnel mode:

Tunnel mode encapsulates the whole IP packet by either encrypting, authenticating or most likely doing both. Tunnel mode will encapsulate our packets with IPSec headers and trailers.

ESP and AH are used. ESP Encapsulation Security Protocol header and trailer plus AH Authentication Header are inserted together in front and behind our IP packet. Sometimes it is only the ESP part. After the encapsulation a new IP header is prepended to the packet so he has the information about IPSec endpoints as new source and destination. Without this part we cannot forward the packet as he is most probably encrypted and intermediary devices cannot see the IP destination address inside to deduce where to send it next.

Tunnel mode may be used with any kind of IP traffic. On the other hand it must be used if IPSec is protecting traffic from hosts behind the IPSec peers. It means that it must be used if you are making a ‘Site to site’ VPN and protecting traffic for host behind both sides of the tunnel who are talking to each other across that tunnel. For example, tunnel mode is used with VPN where hosts on one protected network send packets to hosts on a second protected network via our pair of IPSec peers. With Site to site VPNs the thing is that hosts on separate (VPN connected) networks are the session endpoints and IPSec peers are just tunneling the protected traffic between the peers on the way from one host to another. We can say that IPsec peers are proxies for the hosts behind them.

Client VPN connections are also using tunnel mode when establishing IPsec VPNs with the remote Gateway. If some remote worker is connecting his notebook using VPN Client and it is connecting to ASA firewall that is a Gateway at his office traffic from that client will be encapsulated/encrypted with new IP header and trailer and sent to ASA. When received and decrypted by ASA original IP data packet will be sent to local LAN device that was the destination. It works backwards also but basically that user will be NATed to some inside LAN network IP address so it will continue to work like he is cable connected in his office.

In tunnel mode IPSec will basically be set in place by either of ESP or AH header inserted between the real packet IP header and the upper layer protocol. ESP is preferred when it comes to IPSec VPN Tunnel solutions.

->Tunnel mode protects the internal routing information by encrypting the IP header of the original packet. The original packet is encapsulated by a another set of IP headers.

->It is widely implemented in site-to-site VPN scenarios.

->NAT traversal is supported with the tunnel mode.

->Additional headers are added to the packet; so the payload MSS is less.

TRANSPORT MODE

Transport mode can be used to protect IPsec peers traffic that they exchange and generate by themselves. This means that if we configure transport mode on some tunnel interface it will only be used when the traffic to be protected has the same IP addresses as the IPSec peers. Though it could also be encapsulated in tunnel mode like everything else but here is an interesting concept.

If we are using tunnel mode it is basically a tunneling mechanism that hides everything inside a header trailer capsule. But what if we are using GRE. If we are using GRE and then tunnel mode IPsec we will basically make tunneling and another tunneling inside the tunnel right. Only that one of those tunnels will encrypt and other will not. Enabling GRE to make encryption and avoid double tunneling is done by enabling transport mode on GRE tunnel ??

Transport mode setting, if set, is ignored for all other traffic. And all other is encapsulated in tunnel mode. Nice ha? Basically it means that if you configure transport mode you will allow to that router to negotiate with the remote peer whether to use transport or tunnel mode.

Transport mode only protects the payload no headers involved in encrypting and concealing of bits. Data is encrypted, authenticated, and all the that together but header remains exactly as it was. The payload will in that way be hidden by the IPSec headers and trailers. Same old ESP header and trailer, an AH header, or both. Do not confuse yourself when looking those images down there, the header remains the same but it’s still duplicated and prepended to original payload that was protected by encryption and stuff. In that way it can be used to get the packet routed from sending towards receiving peers (you need some kind of header for router to decide where to send the packet next, right?).

One of the examples when transport mode will be used is for protection of router management traffic. It can also be that you use an encrypted RDP session or SSH from your PC to Server. It will also be good there to use transport mode as in that case two host are speaking directly to each other through an IPsec tunnel.

Payload sent in transport mode is encapsulated by IPSec header and trailer. The original IP header remains the same but IP protocol field is changed to 50 for ESP or 51 in case of AH. Original protocol value will always be saved in IPsec trailer so it can be restored when the packet is decrypted.

->The transport mode encrypts only the payload and ESP trailer; so the IP header of the original packet is not encrypted.

->The IPsec Transport mode is implemented for client-to-site VPN scenarios.

->NAT traversal is not supported with the transport mode.

->MSS is higher, when compared to Tunnel mode, as no additional headers are required.

->The transport mode is usually used when another tunneling protocol (such as GRE, L2TP) is used to first encapsulate the IP data packet, then IPsec is used to protect the GRE/L2TP tunnel packets.

Related Questions

1-Members of the vertebrate class ________ include the sharks, skates, and rays.
Question #20476
1-Metathesis reactions are a family of reactions in which ions are removed from
Question #886795
1-Monochromatic light from a distant source is incident on a slit 0.720 mm wide.
Question #1345894
1-Monochromatic light from a distant source is incident on a slit 0.720 mm wide.
Question #1366114
1-Most application programs that allow text editing have a(n) editing spot that
Question #3801819
1-Most of the light that we see around us is _______ polarized. plane electrical
Question #1387018
1-Nash Home Improvement Company installs replacement siding, windows, and louver
Question #2579447
1-Natalie Cobol spent much of her childhood learning the art of cookie-making fr
Question #2431779

Navigate

Previous
1-Should the government increase, decrease or remain the same in its level of in
Next
1-Show what the array would look like at each step when the heapIncreaseKey oper

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.