Skip to content

Page144

Tunnel and Transport Mode

IPsec can be used in tunnel mode or transport mode. Tunnel mode is used by security gateways (which can provide point-to-point IPsec tunnels). ESP Tunnel mode encrypts the entire packet, including the original packet headers. ESP Transport mode only encrypts the data (and not the original headers); this is commonly used when the sending and receiving system can “speak” IPsec natively.

AH authenticates the original IP headers, so it is often used (along with ESP) in transport mode, because the original headers are not encrypted. Tunnel mode typically uses ESP alone (the original headers are encrypted, and thus protected, by ESP).

Note
IPsec is an example of a protocol built by committee, and that is not a compliment. It is overly complex, with multiple overlapping parts. Complexity is the enemy of security. See Bruce Schneier and Niels Ferguson’s A Cryptographic Evaluation of IPsec, where they argue that AH mode and transport mode should be removed entirely: “Our main criticism of IPsec is its complexity. IPsec contains too many options and too much flexibility; there are often several ways of doing the same or similar things” [47]. See https://www.schneier.com/academic/archives/2003/12/a_cryptographic_eval.html.

IKE

IPsec can use a variety of encryption algorithms, such as MD5 or SHA-1 for integrity, and triple DES or AES for confidentiality. The Internet Key Exchange negotiates the algorithm selection process. Two sides of an IPsec tunnel will typically use IKE to negotiate to the highest and fastest level of security, selecting AES over single DES for confidentiality if both sides support AES, for example.

PGP

Pretty Good Privacy (PGP) brought asymmetric encryption to the masses. Phil Zimmerman created a controversy when he released PGP in 1991. For the first time, an average computer user could easily leverage the power of asymmetric encryption, which allows strangers (including criminals) to securely communicate without pre-sharing a key.

Zimmerman was investigated for munitions export violations by the United States government after the PGP source code was posted to the Usenet bulletin board system in 1991. The prosecutors dropped the case in 1996. RSA complained to Zimmerman for including the (then) patented RSA algorithm in PGP. Zimmerman had encouraged users to pay RSA for a license if they used the algorithm. Zimmerman agreed to stop publishing PGP to address the patent issue (though copies were freely available from other sources).

PGP provides the modern suite of cryptography: confidentiality, integrity, authentication, and non-repudiation. It can be used to encrypt emails, documents, or an entire disk drive. PGP uses a Web of trust model to authenticate digital certificates, instead of relying on a central certificate authority (CA). If you trust that my digital certificate authenticates my identity, the Web of trust means you trust all the digital certificates that I trust. In other words, if you trust me, you trust everyone I trust.