Please Whitelist This Site?
I know everyone hates ads. But please understand that I am providing premium content for free that takes hundreds of hours of time to research and write. I don't want to go to a pay-only model like some sites, but when more and more people block ads, I end up working for free. And I have a family to support, just like you. :)
If you like The TCP/IP Guide, please consider the download version. It's priced very economically and you can read all of it in a convenient format without ads.
If you want to use this site for free, I'd be grateful if you could add the site to the whitelist for Adblock. To do so, just open the Adblock menu and select "Disable on tcpipguide.com". Or go to the Tools menu and select "Adblock Plus Preferences...". Then click "Add Filter..." at the bottom, and add this string: "@@||tcpipguide.com^$document". Then just click OK.
Thanks for your understanding!
Sincerely, Charles Kozierok
Author and Publisher, The TCP/IP Guide
NOTE: Using software to mass-download the site degrades the server and is prohibited.
If you want to read The TCP/IP Guide offline, please consider licensing it. Thank you.
IPSec Architectures and Implementation Methods
(Page 3 of 3)
Bump In The Wire (BITW) Architecture
In this method we add a hardware
device that provides IPSec services. For example, suppose we have a
company with two sites. Each has a network that connects to the Internet
using a router that is not capable of IPSec functions. We can interpose
a special IPSec device between the router and the Internet
at both sites, as shown in Figure 118.
These devices will then intercept outgoing datagrams and add IPSec protection
to them, and strip it off incoming datagrams.
Figure 118: IPSec Bump In The Wire (BITW) Architecture
In this IPSec architecture, IPSec is actually implemented in separate devices that sit between the devices that wish to communicate securely. These repackage insecure IP datagrams for transport over the public Internet.
Just as BITS lets us add
IPSec to legacy hosts, BITW can retrofit non-IPSec routers
to provide security benefits. The disadvantages are complexity and cost.
Parallels Between BITS and BITW
Incidentally, even though BITS and
BITW seem quite different, they are really different ways of doing the
same thing. In the case of BITS we add an extra software layer that
adds security to existing IP datagrams; in BITW this same job is done
by distinct hardware devices. In both cases the result is the same,
and the implications on the choice of IPSec mode is likewise the same.
As we will see in the next topic,
the choice of architecture has an important impact on which of the two
IPSec modes can be used.
Key Concept: Three different architectures or implementation models are defined for IPSec. The best is integrated architecture, where IPSec is built into the IP layer of devices directly. The other two are Bump In The Stack (BITS) and Bump In The Wire (BITW), which both are ways of layering IPSec underneath regular IP, using software and hardware solutions respectively.
|If you find The TCP/IP Guide useful, please consider making a small Paypal donation to help the site, using one of the buttons below. You can also donate a custom amount using the far right button (not less than $1 please, or PayPal gets most/all of your money!) In lieu of a larger donation, you may wish to consider purchasing a download license of The TCP/IP Guide. Thanks for your support!|
Table Of Contents - Contact Us
The TCP/IP Guide (http://www.TCPIPGuide.com)
Version 3.0 - Version Date: September 20, 2005
© Copyright 2001-2005 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.