What is tunnel mode in IPSec protocol? And what is the difference between tunnel mode and transport mode?
There are two modes of Internet Protocol Security (IPSec), namely Transport mode and Tunnel mode. Transport mode will encrypt and authenticate the entire IP packet. The packet in Tunnel mode will include the data itself as well as routing information to form a new IP packet with a new IP header to provide secure communication between the two interacting parties and establish a VPN connection. Moreover, tunnel mode provides protection to the whole IP packet, including transport layer packet and IP Header. Besides, no routers along the way will be able to examine the inner IP header that includes the source and destination addresses. Moreover, tunnel mode is commonly used when both ends of a security association (SA) are security gateways such as a firewall or router that implements IPSec. In tunnel mode communication, a number of host on networks that fall behind firewalls can engage in secure communications without implementing IPSec. Tunnel mode of IPSec is designed for link encryption.
Whereas in Transport Mode, it only encrypts and authenticates the IP payload or the data being transmitted in the packet and thereby ensure a secure communication channel. It provides protection primarily for upper-layer protocols such as TCP or UDP. Unlike Transport Mode, it does not encrypt the IP header and other routing information. Transport mode is established for an encrypted end-to-end communication between a client and a server.
IPSec employs several security measures to perform authentication and encryption services, which mainly includes Authentication Header (AH), Encapsulating Security Payload (ESP) and Security Associations (SA).
- Authentication Header (AH): AH provides assurances of message integrity and nonrepudiation. Besides it provides authentication functions, implements session access control and prevents replay attacks. The primary purpose of the AH is to confirm the origin source address of the IP packet.
- Encapsulating Security Payload (ESP): ESP provides confidentiality and integrity services to the payload content but not to the packer header. Furthermore, it provides encryption using Advanced Encryption Standard (AES), limited authentication and prevents replay attacks likewise AH.
- Security Association (SA): Before two endpoints or hosts can engage in secure communication, they must first agree on security parameters such as secret keys and the like. This agreement is referred to as Security association (SA). SA constitutes a set of values that define the IPSec features and protection measures applied to a connection.