ESP transport mode should be used to ensure the integrity and confidentiality of data that is exchanged within the same LAN. What is transport mode and tunnel mode in IPsec? In transport mode, the IP addresses in the outer header are used to determine the IPsec policy that will be applied to the packet. In tunnel mode, two IP headers are sent.
Authentication Header (AH): It offers integrity and data origin authentication, with optional anti-replay features.
Encapsulating Security Payload (ESP): It offers all the services offered by AH as well as confidentiality.
Transport Mode - In the transport mode (also ESP), IPsec encrypts only the payload of the IP packet, leaving the header untouched. It authenticates two connected computers and provides the option of encrypting data transfer. (P.1464/1448)
In the tunnel mode (also AH), the IPsec encrypts both the payload and header. Hence, in the tunnel mode has higher security than the transport mode. After receiving the data, the IPsec-compliant device performs decryption. The tunnel model is used to create VPNs over the Internet for network-to-network communication (e.g., between routers and link sites), host-to-network communication (e.g., remote user access), and host-to-host communication (e.g., private chat). It is compatible with NAT and supports NAT traversal.
In the tunnel mode, the system encrypts entire IP packets (payload and IP header) and encapsulates the encrypted packets into a new IP packet with a new header. In this mode, ESP encrypts and optionally authenticates entire inner IP packets, whereas AH authenticates entire inner IP packets and selected fields of outer IP headers. The tunnel mode is usually useful between two gateways or between a host and gateway.
In the transport mode (also ESP), IPsec encrypts only the payload of the IP packet, leaving the header untouched. It authenticates two connected computers and provides the option of encrypting data transfer. It is compatible with network address translation (NAT); therefore, it can be used to provide VPN services for networks utilizing NAT.
Figure
AH transport mode
ESP transport mode
ESP tunnel mode
AH tunnel mode
Answer B is correct. ESP transport mode should be used to ensure the integrity and confidentiality of data that is exchanged within the same LAN. AH transport would only ensure the integrity of the LAN data, not the confidentiality; therefore, answer A is incorrect. ESP tunnel mode should be used to secure the integrity and confidentiality of data between networks and not within a network; therefore, answer C is incorrect. AH tunnel mode should be used to secure the integrity of data between networks and not within a network; therefore, answer D is incorrect.
Great explanation. However,
As per Matt Walker's book, p.404 "Tunnel mode, however, encrypts the whole thing, encapsulating the entire original packet in a new IPSec Schell. This makes it INCOMPATIBLE with NAT."
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
Bot001
Highly Voted 2 years, 2 months agoamericaman80
Highly Voted 2 years, 6 months agojuliosc
Most Recent 9 months agoDaniel8660
1 year agodinonino
1 year, 1 month agodinonino
1 year, 1 month agodinonino
1 year, 1 month agoSxn
10 months, 3 weeks ago