Cisco 7100 Series Especificaciones descargar pdf (Pagina 87)

Extranet VPN Business Scenario 4-15

Configuring IPSec and IPSec Tunnel Mode

Note In IPSec tunnel mode, the entire original IP datagram is encrypted, and it becomes

the payload in a new IP packet. This mode allows a network device, such as a router, to act

as an IPSec proxy. That is, the router performs encryption on behalf of the hosts. The

source’s router encrypts packets and forwards them along the IPSec tunnel. The

destination’s router decrypts the original IP datagram and forwards it on to the destination

system. The major advantage of tunnel mode is that the end systems do not need to be

modiﬁed to receive the beneﬁts of IPSec. Tunnel mode also protects against trafﬁcanalysis;

with tunnel mode an attacker can only determine the tunnel endpoints and not the true

source and destination of the tunneled packets, even if they are the same as the tunnel

endpoints.

In IPSec transport mode, only the IP payload is encrypted, and the original IP headers are

leftintact.(SeeFigure 4-4.) Thismode has the advantageof adding only a fewbytes to each

packet. It also allows devices on the public network to see the ﬁnal source and destination

of the packet. This capability allows you to enable special processing (for example, QoS)

inthe intermediate networkbased on the information inthe IP header.However,the Layer 4

header will be encrypted, limiting theexamination of the packet. Unfortunately, by passing

the IP header in the clear, transport mode allows an attacker to perform some trafﬁc

analysis. (See the “Deﬁning Transform Sets” section on page 3-22 for an IPSec transport

mode conﬁguration example.)

1 2 ... 82 83 84 85 86 87 88 89 90 91 92 ... 111 112

Sin comentarios

Cisco 7100 Series Especificaciones Pagina 87