background image
572 Chapter 15: Network Security Technologies
hiding IP addresses is not important. Tunnel mode is commonly used in conjunction with VPN
services, where a remote user appears to be within a local network.
·
Transport mode--The ESP header is inserted after the IP header and before the upper-
layer protocol header. Figure 15-13 shows the transport-mode packet.
Figure 15-13
Transport Mode
·
Tunnel mode--With tunnel mode, a new tunnel IP header and ESP header are added
before the original IP header and payload, as shown in Figure 15-14. The tunnel method
offers protection similar to that of AH by protecting the header from being exposed.
Figure 15-14
Tunnel Mode
Authentication Header (AH)
The IP Authentication Header (AH) protocol (RFC 2402) protects the entire datagram by
embedding the header into the data or payload portion of the packet and creating a new header.
It is important to understand that AH authenticates only that the packet is from who sent it, as
shown in Figure 15-15. AH can be applied alone or in combination with the IPSec ESP to
ESP header added
Old payload
New payload
Possibly encrypted
IP header
ESP
header
Payload
Tunnel IP header
ESP header
Original IP header
Payload
Encrypted
Old payload
87200333.book Page 572 Wednesday, August 22, 2001 1:41 PM