Transport mode and tunnel mode, Ipsec header options, Authentication header – Brocade Web Tools Administrators Guide (Supporting Fabric OS v7.3.0) User Manual
Page 224
Transport mode and tunnel mode
Transport mode adds an authentication header (AH) before the IP header. Only a single pair of
addresses is used (those in the IP header). When transport mode is used, both endpoints implement
IPsec.
Tunnel mode encapsulates an IP datagram in a new datagram, with a new IP header specifying the
addresses of the tunnel end points. IPsec is implemented between tunnel endpoints. IPsec is
transparent to the actual endpoints within the IP header in the original packet.
The following figure provides a basic visual comparison of how transport mode and tunnel mode
modify an IP datagram.
FIGURE 43 Transport mode and tunnel mode comparison
IPsec header options
IPsec adds headers to an IP datagram to enable authentication and privacy. There are two options:
• Authentication Header (AH)
• Encapsulating Security Payload (ESP)
Authentication Header
AH can be used to authenticate a data stream, but does not provide encryption needed for privacy.
The AH contains a message authentication code (MAC). The MAC is created by a hash algorithm
calculation. The MAC is transmitted in an IP datagram. The same hash algorithm is then used by the
receiver to verify the integrity of the packet. AH can be used in either transport mode or tunnel mode,
as shown in
Transport mode and tunnel mode
224
Web Tools Administrator's Guide
53-1003169-01