A SKIP tunnel is a logical connection between your computer and another host that accepts encrypted messages on behalf of a remote host. Before your computer sends a message through a SKIP tunnel, it encrypts each packet and adds an IP header that specifies the security proxy as its destination. The security proxy decrypts each packet and uses the IP header of the decrypted packet to route the packet to its actual destination.
SKIP tunnels offer several advantages over endpoint-to-endpoint encryption:
Centralized decryption - By directing network traffic through a SKIP tunnel to a special gateway, your site can centralize encryption and decryption in a single machine. Consequently, a site would not need to install security software on every host.
Topology hiding - The tunnel address field contains the IP address of the security proxy; the IP address of the packet's actual destination is encrypted along with the rest of the packet. Consequently, an unauthorized user cannot glean information about a site's topology from a captured packet.
Prevention of packet fragmentation - When using endpoint-to-endpoint encryption, packets may become fragmented as they travel from one site to another. If this occurs, the packet fragments may be routed to different gateways at a site. Since each gateway would receive only part of the packet, the packet could not be decrypted, making it impossible to forward the packet contents to the destination host. By specifying the security proxy to which all packets (and packet fragments) should be delivered, you ensure that the security proxy will receive the information it needs to route packets to destination hosts reliably.