HP-UX IPSec version A.02.01 Administrator's Guide
HP-UX IPSec Overview
IPsec Protocol Suite
Chapter 1 41
Transport Mode In transport mode, IPsec inserts the ESP header
after the original IP header, and adds the ESP trailer and authentication
value to the end of the packet. Only the IP payload (e.g., TCP, UDP, or
IGMP packet) is secured (encrypted and authenticated). The IP header is
not secured. Transport mode is typically used for end-to-end security.
Figure 1-4 shows IPv4 ESP packets in transport mode.
Figure 1-4 ESP Transport Mode
Tunnel Mode In tunnel mode, IPsec encloses, or encapsulates, the
original IP packet, including the original IP header, within a second IP
datagram. All of the original IP packet, including the original header, is
secured. Tunnel mode is typically used on secure gateways. When ESP is
used in tunnel mode on gateways, the outer, unencrypted IP header
contains the IP addresses of the gateways, and the inner, encrypted IP
header contains the end IP source and destination addresses. This
prevents eavesdroppers from detecting or analyzing traffic between the
end source and destination addresses. Figure 1-5 shows IPv4 ESP
packets in tunnel mode.
Figure 1-5 ESP Tunnel Mode
IPv6 ESP Transport Mode In IPv6 ESP transport mode (shown in
Figure 1-6), IPsec inserts the ESP header after the following headers and
extensions:
• the basic IPv6 header
• hop-by-hop options
• any destination options needed to interpret the ESP header