No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

NE40E V800R010C10SPC500 Feature Description - Security 01

This is NE40E V800R010C10SPC500 Feature Description - Security
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Encapsulation Mode

Encapsulation Mode

IPsec currently supports the transport mode and tunnel mode.

Transport Mode

With the transport mode, the AH or ESP header is inserted following the IP header, but before all transport layer protocol headers or all other IPsec protocol headers, as shown in Figure 13-18.
Figure 13-18 Format of a packet in transport mode

The transport mode does not change the IP packet header. Only the IP protocol field is changed to 51 (AH) or 50 (ESP), and the checksum of the IP packet header is re-calculated. The source and destination addresses of the IPsec tunnel must be the source and destination addresses in the IP packet header. Therefore, the transport mode is applicable only to communications between hosts.

In transport mode, AH verifies the entire IP packet during integrity verification. If the content of the IP packet is changed, the AH verification on the receiving end fails. Therefore, AH cannot coexist with the NAT protocol that changes the IP address in the IP packet header. ESP checks the integrity of the ESP header, transport layer protocol header, data, and ESP tail, instead of the IP packet header. Therefore, ESP cannot ensure the security of the IP packet header but can coexist with the NAT protocol. ESP encryption covers the transport layer protocol header, data, and ESP tail.

Tunnel Mode

Figure 13-19 shows the packet format in tunnel mode. In this mode, the original IP packet is encapsulated into a new IP packet, and an IPSec header (AH or ESP) is inserted between the old (IP Header in Figure 13-19) and new (New IP Header in Figure 13-19) headers. The original IP address is protected by IPSec as a part of the payload.
Figure 13-19 Format of a packet in tunnel mode

In tunnel mode, the original IP packet header is hidden. Therefore, the tunnel mode is mainly applicable to communications between VPN gateways or between a host and a VPN gateway.

In tunnel mode, the AH protocol checks the integrity of the whole IP packets including the new IP headers. The ESP protocol checks the integrity of ESP header, original IP header, transport layer protocol header, data, and ESP packet tailer, but do not the new IP header. Therefore, the ESP protocol cannot ensure the security of the new IP header. The ESP protocol encrypts the transport layer protocol header, data, and ESP packet tailer.

If both AH and ESP are used, the two protocols must use the same encapsulation mode.

Comparison Between the Transport Mode and the Tunnel Mode

Comparison between the transport mode and the tunnel mode is as follows:

  • The tunnel mode is more secure than the transport mode. In tunnel mode, the original IP packet can be authenticated and encrypted completely. Besides, the internal IP address, protocol type, and port are hidden.

  • The tunnel mode occupies more bandwidth because of an extra IP header.

Translation
Download
Updated: 2019-01-03

Document ID: EDOC1100055047

Views: 12905

Downloads: 31

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next