IPSec (Internet Protocol Security) provides a framework for securing communications over IP networks by using cryptographic security services. It operates primarily at the Network Layer (Layer 3) of the OSI model, ensuring the security of IP packets. IPSec supports two primary encapsulation modes: Transport Mode and Tunnel Mode. Each mode serves specific purposes and operates differently to secure data transmissions.
Lets us discuss both the models in detail
IPSec Transport Mode
Transport Mode is designed to protect the payload of the IP packet while leaving the original IP header unchanged. This mode is primarily used for securing end-to-end communications between two hosts on the same network.
How Transport Mode Works:
- Original IP Packet:
- The original IP packet consists of an IP header and a payload (which includes the transport layer segment, such as TCP or UDP).
- Encapsulation:
- IPSec encapsulates the payload with the appropriate security protocol headers (either Authentication Header (AH) or Encapsulating Security Payload (ESP)).
- Authentication Header (AH): Provides integrity and authentication for the entire IP packet.
- Encapsulating Security Payload (ESP): Provides confidentiality, integrity, and authentication for the payload.
- Resulting IP Packet:
- The resulting IP packet retains the original IP header with added IPSec headers, ensuring that the packet can be routed to its destination without modification.
Characteristics of Tunnel Mode:
- Focus on Payload: In Transport Mode, IPSec secures only the payload of the IP packet, leaving the original IP header unchanged. This ensures that the data being transmitted between two hosts is protected without modifying the IP routing information.
- Minimal Overhead: Since the IP header is not encapsulated, Transport Mode adds less overhead compared to Tunnel Mode, resulting in smaller packet sizes and potentially better performance.
IPSec Tunnel Mode
Tunnel Mode is designed to encapsulate the entire original IP packet, including its IP header, within a new IP packet. In this mode there are two IP headers i.e. inner IP header and outer IP header. The inner IP Header is the original IP header. The outer IP Header is added by this mode to provide IPSec. This mode is commonly used for network-to-network or gateway-to-gateway communications, such as in Virtual Private Networks (VPNs).
How Tunnel Mode Works:
- Original IP Packet:
- The original IP packet includes the IP header and the payload.
- Encapsulation:
- The entire original IP packet, including the IP header and payload, is encapsulated within a new IP packet.
- IPSec security protocol headers (AH or ESP) are added for protection. In picture, we have taken example of ESP.
- New IP Header:
- A new IP header is added by the network device providing the IPSec service. This new header includes the source and destination IP addresses of the IPSec tunnel endpoints.
Characteristics of Tunnel Mode:
- Double IP Headers: The encapsulated packet has two IP headers: the original IP header (inner header) and the new IP header (outer header) added by the IPSec gateway.
- Full Packet Protection: The entire original IP packet is protected by IPSec security protocols, ensuring confidentiality, integrity, and authentication.
Comparision
| Feature | Transport Mode | Tunnel Mode |
|---|---|---|
| Primary Use Case | End-to-end communication between two hosts | Network-to-network or gateway-to-gateway communication |
| Encapsulation | Only the payload (data) of the IP packet is encrypted and authenticated | Entire IP packet (including the original IP header and payload) is encapsulated within a new IP packet |
| Original IP Header | Remains intact, visible to routers and intermediaries | Encapsulated within the new IP packet, not visible to intermediaries |
| New IP Header | Not added, uses the original IP header | Added by the IPSec device, specifying tunnel endpoints |
| Overhead | Lower overhead, smaller packet size | Higher overhead, larger packet size due to additional headers |
| Security Protocols | AH or ESP | AH or ESP |
| Confidentiality | Payload confidentiality with ESP | Full packet confidentiality with ESP |
| Integrity and Authentication | Provided for payload with AH or ESP | Provided for the entire original packet with AH or ESP |
| Typical Use Cases | Secure internal host-to-host communication, application-level security | Site-to-site VPNs, remote access VPNs, gateway-to-gateway communications |
| Routing | Original IP addresses are used for routing | New IP addresses are used for routing |
| Fragmentation | Less likely due to lower overhead | More likely due to increased packet size |
| Performance | Generally higher due to lower overhead | May be lower due to higher overhead and possible fragmentation |
| Complexity | Simpler to implement for end-to-end scenarios | More complex due to encapsulation of the entire packet |