Cisco 7100 Series Especificaciones descargar pdf (Pagina 54)

Step 3—Configuring Encryption

Cisco 7100 Series VPN Configuration Guide

3-24

Note In IPSec transport mode, only the IP payload is encrypted, and the original IP

headers are left intact. (See Figure 3-4.) This mode has the advantage of adding only a few

bytes to each packet. It also allows devices on the public network to see the ﬁnal source and

destination of the packet. This capability allows you to enable special processing (for

example, QoS) in the intermediate network based on the information in the IP header.

However, the Layer 4 header will be encrypted, limiting the examination of the packet.

Unfortunately, by passing the IP header in the clear, transport mode allows an attacker to

perform some trafﬁc analysis.

In IPSec tunnel mode, the entire original IP datagram is encrypted, and it becomes the

payload in a new IP packet. This mode allows a network device, such as a router, to act as

an IPSec proxy. That is, the router performs encryption on behalfof the hosts. The source’s

router encrypts packets and forwards them along the IPSec tunnel. The destination’s router

decrypts the original IP datagram and forwards it on to the destination system. The major

advantage of tunnel mode is that the end systems do not need to be modiﬁed to receive the

beneﬁts of IPSec. Tunnel mode also protects against trafﬁc analysis; with tunnel mode an

attacker can only determine the tunnel endpoints and not the true source and destination of

the tunneled packets, even if they are the same as the tunnel endpoints. (See the “Deﬁning

Transform Sets and Conﬁguring IPSec Tunnel Mode” section on page 4-13 for an IPSec

tunnel conﬁguration example.)

1 2 ... 49 50 51 52 53 54 55 56 57 58 59 ... 111 112

Sin comentarios

Cisco 7100 Series Especificaciones Pagina 54