Network Layer
Network layer (L3) encryption is done between two layer 3
devices. While Transport mode involves encrypted connections between an end host
and a VPN endpoint device, such as routers on the network, the more common
implementation is between two VPN endpoints, such as a VPN hardware client
device, a router, a firewall, or a VPN concentrator. This means Cleartext data
travels between the actual host and the VPN source endpoint where it’s encrypted
and forwarded on to the VPN destination endpoint, where the transmission is
decrypted and forwarded to the destination host as Cleartext. One security
concern is that the data is unencrypted during part of the trip, although we
hope it would be in the internal secure LAN networks on both ends.
Note, the VPN endpoints might be many routers (hops) away and the
interim routers needn’t be VPN-aware. Because the packets must be routed through
the network, the IP header must remain in Cleartext. While IPSec uses this
approach, the layer 3 header information that’s vulnerable refers to the VPN
tunnel endpoints and not to the source and destination hosts. The original IP
header is safely encrypted in the data section of this transport packet.
Layer 3 implementations should use Quality of Service (QoS)
features end-to-end to ensure priority delivery through the network,
particularly with time-sensitive data.
Sections
Comments (0 posted)
Syndication
