Section 11.5. Transport Mode

11.5. Transport Mode

Transport mode is used to secure a connection between two hosts, as shown in Figure 11.5. That is, the endpoints are specific hosts rather than two networks or a host and a network.

Figure 11.5. An AH Transport Tunnel

In transport mode, the AH header is inserted into the IP datagram just after the IP header and options, as shown in Figure 11.6. Notice that we show only half of the IP header as being authenticated. This represents the fact that the mutable fields in the IP header are not covered by the authentication.

Figure 11.6. Transport-Mode AH Encapsulation of a TCP Segment

[View full size image]

We can see an example of this encapsulation by configuring transport-mode AH between laptop and bsd, as shown in Figure 11.7.

Figure 11.7. Testbed for AH

Once the tunnel is established, we ping bsd from laptop and capture the result with tcpdump:

1   18:00:02.334647 IP 192.168.123.5 > 192.168.123.1:
        AH(spi=0x0504cb4c,seq=0x1): icmp 64: echo request seq 512
1.1     4500 006c 00a8 0000 4033 0260 c0a8 7b05   E..l....@3.'..{.
1.2     c0a8 7b01 0104 0000 0504 cb4c 0000 0001   ..{........L....
1.3     3185 466e 8b64 587f b8e9 c757 0800 27b7   1.Fn.dX....W..'.
1.4     4b01 0200 f2dc 2c42 7425 0500 0809 0a0b   K.....,Bt%......
1.5     0c0d 0e0f 1011 1213 1415 1617 1819 1a1b   ................
1.6     1c1d 1e1f 2021 2223 2425 2627 2829 2a2b   .....!"#$%&'()*+
1.7     2c2d 2e2f 3031 3233 3435 3637             ,-./01234567

We show the AH header in boldface on lines 1.2 and 1.3. Comparing the dump with Figure 11.2, we see that the SPI and sequence number have the values shown in line 1. Notice that the length (4) is two less than the size of the header in 32-bit words (6), as expected. The part of the header on line 1.3 is the authentication dataHMAC-SHA1-96 in this case. Immediately following the AH header is the ICMP packet with a type of echo request (0x08).

If we look again at Figure 11.1, we see that the source address field of the IP datagram is part of the authenticated data. This means that AH cannot be used with NAT, because NAT will change the source IP address.

More precisely, AH cannot be used with an external NAT device as shown in the figure. Here, the AH tunnel runs from host A through the NAT device to host B.

If the host itself performs the NAT, and if it performs the NAT before it calculates the ICV, the NAT/AH combination will succeed.

This is the first of many problems that we will encounter between NAT and IPsec. For now, we merely note that AH will generally have difficulty with NAT because of the authenticated source IP address.