Go to main content

Securing the Network in Oracle® Solaris 11.3

Exit Print View

Updated: September 2018
 
 

Transport and Tunnel Modes in IPsec

The IPsec standards define two distinct modes of IPsec operation, transport mode and tunnel mode. The key difference between transport and tunnel mode is where policy is applied. In tunnel mode, the original packet is encapsulated in an outer IP header. The IP addresses in the inner and outer headers can be different.

Traffic selectors, introduced in IPsec Policy, determine if a packet matches a policy rule. Selectors include:

  • Source IP address

  • Destination IP address

  • Protocol number, if applicable

  • Port numbers, if applicable

The pattern used to match IPsec policy rules consists of a subset of these selectors.

In transport mode, the traffic selectors are matched against the outer IP header. In tunnel mode, they are matched against the inner IP header. Tunnel mode can be applied to any mix of end systems and intermediate systems, such as security gateways.

In transport mode, the IP header, the next header, and any ports that the next header supports can be used to determine if IPsec policy applies. In effect, IPsec can enforce different transport mode policies between two IP addresses to the granularity of a single port. For example, if the next header is TCP, which supports ports, then IPsec policy can be set for a TCP port of the outer IP address.

Tunnel mode works only for IP-in-IP packets. In tunnel mode, IPsec policy is enforced on the contents of the inner IP packet. Different policy can be enforced for different inner IP addresses. That is, the inner IP header, its next header, and the ports that the next header supports can enforce a policy.

In tunnel mode, IPsec policy can be specified for subnets of a LAN behind a router and for ports on those subnets. IPsec policy can also be specified for particular IP addresses, that is, hosts, on those subnets. The ports of those hosts can also have a specific IPsec policy. For examples of tunneling procedures that include configuring static routes, see Protecting a VPN With IPsec.

When IPsec policy is applied to traffic in IP tunnels, the name of the IP tunnel interface is used to link the traffic in that tunnel to an IPsec policy rule. IPsec policy provides a tunnel keyword to select an IP tunneling network interface. When the tunnel keyword is present in a rule, all selectors that are specified in that rule apply to the inner packet.

For information about tunneling interfaces, see Chapter 4, About IP Tunnel Administration in Administering TCP/IP Networks, IPMP, and IP Tunnels in Oracle Solaris 11.3.

The following figures illustrate protected and unprotected packets.

Unprotected IP Packet Carrying TCP Information shows an IP header with an unprotected TCP packet.

Figure 8  Unprotected IP Packet Carrying TCP Information

image:Graphic shows the IP header followed by the TCP header. The TCP header is not protected.

Protected IP Packet Carrying TCP Information shows ESP protecting the data in transport mode. The shaded area shows the encrypted part of the packet.

Figure 9  Protected IP Packet Carrying TCP Information

image:Graphic shows the ESP header between the IP header and the TCP header. The TCP header is encrypted by the ESP header.

IPsec Packet Protected in Tunnel Mode shows that the entire packet is inside the ESP header in tunnel mode. The packet from Unprotected IP Packet Carrying TCP Information is protected in tunnel mode by an outer IPsec header and, in this case, ESP.

Figure 10  IPsec Packet Protected in Tunnel Mode

image:Graphic shows the ESP header after the IP header and before an IP header and a TCP header. The last 2 headers are protected by encryption.