Figure
shows an
IPSec-protected path in tunnel and transport mode basic scenarios. In transport
mode, each end host does IPSec encapsulation of its own data, host-to-host.
Therefore, IPSec has to be implemented on end-hosts. The application endpoint
must also be the IPSec endpoint. In tunnel mode, IPSec gateways provide IPSec
services to other hosts in peer-to-peer tunnels. End-hosts are not aware of
IPSec being used to protect their traffic. IPSec gateways provide transparent
protection of the traffic of other hosts over untrusted networks.
ESP and
AH can be applied to IP packets in two different ways, transport mode and
tunnel mode. In transport mode, security is provided only for the transport
layer and above. Transport mode protects the payload of the packet but leaves
the original IP address in the clear. The original IP address is used to route
the packet through the Internet. Tunnel mode provides security for the whole
original IP packet. The original IP packet is encrypted. Next, the encrypted
packet is encapsulated in another IP packet. The outside IP address is used to
route the packet through the Internet.
New AH headers, and optional
tunnel headers, are added to the packet. In transport mode, the AH header
normally adds 24 bytes to each packet
. In
tunnel mode, the tunnel IP and AH headers add 44 bytes to each packet
.
New ESP
headers, optional tunnel headers, and a trailer are added to the packet. In
transport mode, the ESP header/trailer normally adds up to 37 bytes to each
packet
. In tunnel mode,
the tunnel IP and ESP headers and trailer add up to 57 bytes to each packet
. Using both AH
and ESP in tunnel mode can add up to 101 bytes to each packet.