[e2e] where to put endpoint authentication?

Joe Touch touch at ISI.EDU
Mon May 10 10:21:34 PDT 2004

RJ Atkinson wrote:
> Transport-mode IPsec (where IPsec == {AH, ESP}) provides
> transport-layer security.   Tunnel-mode IPsec provides network-layer
> security.  IPsec is supported by key management from IKE.
> (NB: In my terminology, IKE is not "IPsec" but is instead a
> separate key management protocol that could be used for protocols
> unrelated to IPsec.  Terminology varies widely for "IPsec".).

There are two distinct properties of the security protocols I mentioned:

	1. the layer where the security is performed or inserted
	(what header is modified)

	2. the layer protected

I was generally labelling solutions with respect to (1), and discussed 
(2) as a property.


W.r.t. IPsec, both AH and ESP are network-layer by criteria (1).

Transport-mode AH is network-layer by criteria (2). The transport 
payload is also protected. The transport protocol and port may be 
constrained, but that is not required.

Transport-mode ESP is transport layer by criteria (2).


Tunnel mode is an odd case (in many ways ;-), since it combines 
network-layer tunneling with network-layer (criteria 1) security. The 
primary difference with transport mode is that tunnel mode checks the 
inner IP addresses at the receiver and not any transport protocol or 
port information. However, that's equivalent to checking 'transport' 
(w.r.t. the outer packet header) criteria. At that point, whether tunnel 
mode protects network or 'transport' depends on whether ESP or AH are used.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 250 bytes
Desc: OpenPGP digital signature
Url : http://www.postel.org/pipermail/end2end-interest/attachments/20040510/ec990328/signature.bin

More information about the end2end-interest mailing list