[e2e] where to put endpoint authentication?
Joe Touch
touch at ISI.EDU
Mon May 10 10:21:34 PDT 2004
RJ Atkinson wrote:
...
> Transport-mode IPsec (where IPsec == {AH, ESP}) provides
> transport-layer security. Tunnel-mode IPsec provides network-layer
> security. IPsec is supported by key management from IKE.
> (NB: In my terminology, IKE is not "IPsec" but is instead a
> separate key management protocol that could be used for protocols
> unrelated to IPsec. Terminology varies widely for "IPsec".).
There are two distinct properties of the security protocols I mentioned:
1. the layer where the security is performed or inserted
(what header is modified)
2. the layer protected
I was generally labelling solutions with respect to (1), and discussed
(2) as a property.
----
W.r.t. IPsec, both AH and ESP are network-layer by criteria (1).
Transport-mode AH is network-layer by criteria (2). The transport
payload is also protected. The transport protocol and port may be
constrained, but that is not required.
Transport-mode ESP is transport layer by criteria (2).
----
Tunnel mode is an odd case (in many ways ;-), since it combines
network-layer tunneling with network-layer (criteria 1) security. The
primary difference with transport mode is that tunnel mode checks the
inner IP addresses at the receiver and not any transport protocol or
port information. However, that's equivalent to checking 'transport'
(w.r.t. the outer packet header) criteria. At that point, whether tunnel
mode protects network or 'transport' depends on whether ESP or AH are used.
Joe
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 250 bytes
Desc: OpenPGP digital signature
Url : http://www.postel.org/pipermail/end2end-interest/attachments/20040510/ec990328/signature.bin
More information about the end2end-interest
mailing list