Brocade Web Tools Administrator's Guide v7.1.0 (53-1002756-01, March 2013)
Web Tools Administrator’s Guide 189
53-1002756-01
IPsec concepts
15
There are several protocols and algorithms that can be applied. Choosing the protocols and
algorithms you want to use may be a matter of adapting to an implementation that is already in
place in your LAN, or you may need to do a significant amount of research and planning. The
supported protocols and algorithms are defined and described in the RFCs listed in Table 17.
Transport mode and tunnel mode
Transport mode adds an authentication header (AH) before the IP header. Only a single pair of
addresses is used (those in the IP header). When transport mode is used, both endpoints
implement IPsec.
Tunnel mode encapsulates an IP datagram in a new datagram, with a new IP header specifying the
addresses of the tunnel end points. IPsec is implemented between tunnel endpoints. IPsec is
transparent to the actual endpoints within the IP header in the original packet.
Figure 41 provides a basic visual comparison of how transport mode and tunnel mode modify an IP
datagram.
TABLE 17 Relevant RFCs
RFC number Title
RFC 4301 Security Architecture for the Internet Protocol
RFC 4302 IP Authentication Header
RFC 4303 IP Encapsulating Security Payload
RFC 4304 Extended Sequence Number (ESN) Addendum
to IPsec Domain of Interpretation (DOI) for
Internet Security Association and Key
Management Protocol (ISAKMP)
RFC 4305 Cryptographic Algorithm Implementation
Requirements for Encapsulating Security
Payload (ESP) and Authentication Header
RFC 4869 Suite B Cryptographic Suites for IPsec
RFC 4309 Using Advanced Encryption Standard (AES)
CCM Mode with IPsec Encapsulating Security
Payload (ESP)
RFC 4306 Internet Key Exchange Version 2 (IKEv2)
Protocol
RF C4307 Cryptographic Algorithms for Internet Key
Exchange Version 2 (IKEv2)
RFC 3971 Secure Neighbor Discovery
RFC 3972 Cryptographically Generated Addresses
RFC 3041 Privacy Extensions for Stateless Address Auto
configuration in IPv6