Please Whitelist This Site?

I know everyone hates ads. But please understand that I am providing premium content for free that takes hundreds of hours of time to research and write. I don't want to go to a pay-only model like some sites, but when more and more people block ads, I end up working for free. And I have a family to support, just like you. :)

If you like The TCP/IP Guide, please consider the download version. It's priced very economically and you can read all of it in a convenient format without ads.

If you want to use this site for free, I'd be grateful if you could add the site to the whitelist for Adblock. To do so, just open the Adblock menu and select "Disable on tcpipguide.com". Or go to the Tools menu and select "Adblock Plus Preferences...". Then click "Add Filter..." at the bottom, and add this string: "@@||tcpipguide.com^$document". Then just click OK.

Thanks for your understanding!

Sincerely, Charles Kozierok
Author and Publisher, The TCP/IP Guide


NOTE: Using software to mass-download the site degrades the server and is prohibited.
If you want to read The TCP/IP Guide offline, please consider licensing it. Thank you.

The Book is Here... and Now On Sale!

Read offline with no ads or diagram watermarks!
The TCP/IP Guide

Custom Search







Table Of Contents  The TCP/IP Guide
 9  TCP/IP Lower-Layer (Interface, Internet and Transport) Protocols (OSI Layers 2, 3 and 4)
      9  TCP/IP Internet Layer (OSI Network Layer) Protocols
           9  Internet Protocol (IP/IPv4, IPng/IPv6) and IP-Related Protocols (IP NAT, IPSec, Mobile IP)
                9  IP Security (IPSec) Protocols

Previous Topic/Section
IPSec General Operation, Components and Protocols
Previous Page
Pages in Current Topic/Section
12
3
Next Page
IPSec Modes: Transport and Tunnel
Next Topic/Section

IPSec Architectures and Implementation Methods
(Page 3 of 3)

“Bump In The Wire” (BITW) Architecture

In this method we add a hardware device that provides IPSec services. For example, suppose we have a company with two sites. Each has a network that connects to the Internet using a router that is not capable of IPSec functions. We can interpose a special “IPSec” device between the router and the Internet at both sites, as shown in Figure 118. These devices will then intercept outgoing datagrams and add IPSec protection to them, and strip it off incoming datagrams.


Figure 118: IPSec “Bump In The Wire” (BITW) Architecture

In this IPSec architecture, IPSec is actually implemented in separate devices that sit between the devices that wish to communicate securely. These repackage insecure IP datagrams for transport over the public Internet.

 


Just as BITS lets us add IPSec to legacy hosts, BITW can “retrofit” non-IPSec routers to provide security benefits. The disadvantages are complexity and cost.

Parallels Between BITS and BITW

Incidentally, even though BITS and BITW seem quite different, they are really different ways of doing the same thing. In the case of BITS we add an extra software layer that adds security to existing IP datagrams; in BITW this same job is done by distinct hardware devices. In both cases the result is the same, and the implications on the choice of IPSec mode is likewise the same.

As we will see in the next topic, the choice of architecture has an important impact on which of the two IPSec modes can be used.

Key Concept: Three different architectures or implementation models are defined for IPSec. The best is integrated architecture, where IPSec is built into the IP layer of devices directly. The other two are “Bump In The Stack” (BITS) and “Bump In The Wire” (BITW), which both are ways of layering IPSec underneath regular IP, using software and hardware solutions respectively.



Previous Topic/Section
IPSec General Operation, Components and Protocols
Previous Page
Pages in Current Topic/Section
12
3
Next Page
IPSec Modes: Transport and Tunnel
Next Topic/Section

If you find The TCP/IP Guide useful, please consider making a small Paypal donation to help the site, using one of the buttons below. You can also donate a custom amount using the far right button (not less than $1 please, or PayPal gets most/all of your money!) In lieu of a larger donation, you may wish to consider purchasing a download license of The TCP/IP Guide. Thanks for your support!
Donate $2
Donate $5
Donate $10
Donate $20
Donate $30
Donate: $



Home - Table Of Contents - Contact Us

The TCP/IP Guide (http://www.TCPIPGuide.com)
Version 3.0 - Version Date: September 20, 2005

© Copyright 2001-2005 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.