Please Whitelist This Site? I know everyone hates ads. But please understand that I am providing premium content for free that takes hundreds of hours of time to research and write. I don't want to go to a pay-only model like some sites, but when more and more people block ads, I end up working for free. And I have a family to support, just like you. :) If you like The TCP/IP Guide, please consider the download version. It's priced very economically and you can read all of it in a convenient format without ads. If you want to use this site for free, I'd be grateful if you could add the site to the whitelist for Adblock. To do so, just open the Adblock menu and select "Disable on tcpipguide.com". Or go to the Tools menu and select "Adblock Plus Preferences...". Then click "Add Filter..." at the bottom, and add this string: "@@||tcpipguide.com^$document". Then just click OK. Thanks for your understanding! Sincerely, Charles Kozierok Author and Publisher, The TCP/IP Guide

NOTE: Using software to mass-download the site degrades the server and is prohibited. If you want to read The TCP/IP Guide offline, please consider licensing it. Thank you.

The TCP/IP Guide  9  TCP/IP Lower-Layer (Interface, Internet and Transport) Protocols (OSI Layers 2, 3 and 4)       9  TCP/IP Internet Layer (OSI Network Layer) Protocols            9  Internet Protocol (IP/IPv4, IPng/IPv6) and IP-Related Protocols (IP NAT, IPSec, Mobile IP)                 9  IP Security (IPSec) Protocols

IPSec General Operation, Components and Protocols 1 2 3 IPSec Modes: Transport and Tunnel

“Bump In The Wire” (BITW) Architecture

In this method we add a hardware device that provides IPSec services. For example, suppose we have a company with two sites. Each has a network that connects to the Internet using a router that is not capable of IPSec functions. We can interpose a special “IPSec” device between the router and the Internet at both sites, as shown in Figure 118. These devices will then intercept outgoing datagrams and add IPSec protection to them, and strip it off incoming datagrams.

Just as BITS lets us add IPSec to legacy hosts, BITW can “retrofit” non-IPSec routers to provide security benefits. The disadvantages are complexity and cost.

Incidentally, even though BITS and BITW seem quite different, they are really different ways of doing the same thing. In the case of BITS we add an extra software layer that adds security to existing IP datagrams; in BITW this same job is done by distinct hardware devices. In both cases the result is the same, and the implications on the choice of IPSec mode is likewise the same.

As we will see in the next topic, the choice of architecture has an important impact on which of the two IPSec modes can be used.

IPSec General Operation, Components and Protocols 1 2 3 IPSec Modes: Transport and Tunnel