Provide several examples of IPSec. What services are provided by IPSec? What is the difference between Transport Mode and Tunnel Mode?

IPSec (Internet Protocol Security) is a capability that can be added to either current version of the internet protocol by means of additional headers. IPsec encompasses three functional areas authentication, confidentiality, and key management.

IPSec provides the capability to secure communications across a LAN, Private and public WANs, and across the internet. Examples of IPSec include the following:

Secure branch office connectivity over the internet: a company can build a secure virtual private network over the internet or over a public WAN. This enables a business to rely heavily on the internet and reduce its need for private networks, saving costs and network management overhead.

Another example of internet protocol security is secure remote access over the internet. On this case, an end user whose system is equipped with IP security protocols can make a local call to an internet service provider and gain secure access to a company network. This reduces the cost of toll charges for travelling employees and telecommuters.

Last but not least, enhancing electronic commerce security, even though some web and electronic commerce applications have built-in security protocols, the use of IPSec enhances that security.

The IPSec provides security services at the IP layer enabling a system to select required security protocols, determine the algorithms to use for services, and put in place any cryptographic keys required to provide the request services. The services provided by the IPSec are the following:

·         Access control

·         Connectionless integrity

·         Data origin authentication

·         Rejection of replayed packets (a form of partial sequence integrity)

·         Confidentiality (encryption)

·         Limited traffic flow confidentiality

The IPsec standards define two distinct modes of IPsec operation, transport mode and tunnel mode. The modes do not affect the encoding of packets. The packets are protected by AH, ESP, or both in each mode. The modes differ in policy application when the inner packet is an IP packet, as follows:

·                    In transport mode, the outer header determines the IPsec policy that protects the inner IP packet.

·                    In tunnel mode, the inner IP packet determines the IPsec policy that protects its contents.

In transport mode, the outer header, the next header, and any ports that the next header supports, can be used to determine IPsec policy. In effect, IPsec can enforce different transport mode policies between two IP addresses to the granularity of a single port. For example, if the next header is TCP, which supports ports, then IPsec policy can be set for a TCP port of the outer IP address. Similarly, if the next header is an IP header, the outer header and the inner IP header can be used to determine IPsec policy.

Tunnel mode works only for IP-in-IP datagrams. Tunneling in tunnel mode can be useful when computer workers at home are connecting to a central computer location. In tunnel mode, IPsec policy is enforced on the contents of the inner IP datagram. Different IPsec policies can be enforced for different inner IP addresses. That is, the inner IP header, its next header, and the ports that the next header supports, can enforce a policy. Unlike transport mode, in tunnel mode the outer IP header does not dictate the policy of its inner IP datagram.