The TCP/IP Guide  9  TCP/IP Lower-Layer (Interface, Internet and Transport) Protocols (OSI Layers 2, 3 and 4)       9  TCP/IP Internet Layer (OSI Network Layer) Protocols            9  Internet Protocol (IP/IPv4, IPng/IPv6) and IP-Related Protocols (IP NAT, IPSec, Mobile IP)                 9  IP Security (IPSec) Protocols

IPSec General Operation, Components and Protocols 1 2 3 IPSec Modes: Transport and Tunnel

“Bump In The Wire” (BITW) Architecture

In this method we add a hardware device that provides IPSec services. For example, suppose we have a company with two sites. Each has a network that connects to the Internet using a router that is not capable of IPSec functions. We can interpose a special “IPSec” device between the router and the Internet at both sites, as shown in Figure 118. These devices will then intercept outgoing datagrams and add IPSec protection to them, and strip it off incoming datagrams.

Just as BITS lets us add IPSec to legacy hosts, BITW can “retrofit” non-IPSec routers to provide security benefits. The disadvantages are complexity and cost.

Incidentally, even though BITS and BITW seem quite different, they are really different ways of doing the same thing. In the case of BITS we add an extra software layer that adds security to existing IP datagrams; in BITW this same job is done by distinct hardware devices. In both cases the result is the same, and the implications on the choice of IPSec mode is likewise the same.

As we will see in the next topic, the choice of architecture has an important impact on which of the two IPSec modes can be used.

IPSec General Operation, Components and Protocols 1 2 3 IPSec Modes: Transport and Tunnel