IPSec,routingprotocls & QoS
IPSec employs two methods of forwarding data across a network for both the AH and ESP protocols:
Tunnel mode
Transport mode
IPSec tunnel mode can completely encapsulate and protect the contents of an entire IP packet including the original IP header.Tunnel mode is generally used for IP unicast-based traffic.If there is a requirement to apply IPSec to multicast applications,non-IP traffic,or routing protocols that use multicast addressing,then the additional use of a GRE header is needed.
With IPSec and GRE working together in tunnel mode,support is available for multicast applications;routing protocols such as OSPF,RIPv2,EIGRP;and transport of non-IP traffic.
Transport mode for either AH or ESP protocol encapsulates the upper-layer payload,above the IP layer.These are typical Layer 4 and higher payloads such as TCP,UDP,BGP,and so on.This leaves the original Layer 3 IP header intact,because it might be needed for certain network services,such as appplications that need to use QoS classifications.(An encrypted original IP header can't be used for QoS applications.)
Tunnel mode
Transport mode
IPSec tunnel mode can completely encapsulate and protect the contents of an entire IP packet including the original IP header.Tunnel mode is generally used for IP unicast-based traffic.If there is a requirement to apply IPSec to multicast applications,non-IP traffic,or routing protocols that use multicast addressing,then the additional use of a GRE header is needed.
With IPSec and GRE working together in tunnel mode,support is available for multicast applications;routing protocols such as OSPF,RIPv2,EIGRP;and transport of non-IP traffic.
Transport mode for either AH or ESP protocol encapsulates the upper-layer payload,above the IP layer.These are typical Layer 4 and higher payloads such as TCP,UDP,BGP,and so on.This leaves the original Layer 3 IP header intact,because it might be needed for certain network services,such as appplications that need to use QoS classifications.(An encrypted original IP header can't be used for QoS applications.)
posted by Jun Wen at 9:46 PM
0 Comments:
Post a Comment
<< Home