<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML ><HEAD ><TITLE >Modes of using encryption and authentication</TITLE ><META NAME="GENERATOR" CONTENT="Modular DocBook HTML Stylesheet Version 1.7"><LINK REL="HOME" TITLE="Linux IPv6 HOWTO (en)" HREF="index.html"><LINK REL="UP" TITLE="Encryption and Authentication" HREF="chapter-encryption-authentication.html"><LINK REL="PREVIOUS" TITLE="Encryption and Authentication" HREF="chapter-encryption-authentication.html"><LINK REL="NEXT" TITLE="Support in kernel (ESP and AH)" HREF="x2371.html"></HEAD ><BODY CLASS="SECT1" BGCOLOR="#FFFFFF" TEXT="#000000" LINK="#0000FF" VLINK="#840084" ALINK="#0000FF" ><DIV CLASS="NAVHEADER" ><TABLE SUMMARY="Header navigation table" WIDTH="100%" BORDER="0" CELLPADDING="0" CELLSPACING="0" ><TR ><TH COLSPAN="3" ALIGN="center" >Linux IPv6 HOWTO (en)</TH ></TR ><TR ><TD WIDTH="10%" ALIGN="left" VALIGN="bottom" ><A HREF="chapter-encryption-authentication.html" ACCESSKEY="P" >Prev</A ></TD ><TD WIDTH="80%" ALIGN="center" VALIGN="bottom" >Chapter 19. Encryption and Authentication</TD ><TD WIDTH="10%" ALIGN="right" VALIGN="bottom" ><A HREF="x2371.html" ACCESSKEY="N" >Next</A ></TD ></TR ></TABLE ><HR ALIGN="LEFT" WIDTH="100%"></DIV ><DIV CLASS="SECT1" ><H1 CLASS="SECT1" ><A NAME="AEN2360" ></A >19.1. Modes of using encryption and authentication</H1 ><P >Two modes of encryption and authentication of a connection are possible:</P ><DIV CLASS="SECT2" ><H2 CLASS="SECT2" ><A NAME="AEN2363" ></A >19.1.1. Transport mode</H2 ><P >Transport mode is a real end-to-end connection mode. Here, only the payload (usually ICMP, TCP or UDP) is encrypted with their particular header, while the IP header is not encrypted (but usually included in authentication).</P ><P >Using AES-128 for encryption and SHA1 for authentication, this mode decreases the MTU by 42 octets.</P ></DIV ><DIV CLASS="SECT2" ><H2 CLASS="SECT2" ><A NAME="AEN2367" ></A >19.1.2. Tunnel mode</H2 ><P >Tunnel mode can be used either for end-to-end or for gateway-to-gateway connection modes. Here, the complete IP packet is being encrypted and gets a new IP header prepended, all together constituing a new IP packet (this mechanism is also known as "encapsulation")</P ><P >This mode usually decreases the MTU by 40 octets from the MTU of transport mode. I.e. using AES-128 for encryption and SHA1 for authentication 82 octets less than the normal MTU.</P ></DIV ></DIV ><DIV CLASS="NAVFOOTER" ><HR ALIGN="LEFT" WIDTH="100%"><TABLE SUMMARY="Footer navigation table" WIDTH="100%" BORDER="0" CELLPADDING="0" CELLSPACING="0" ><TR ><TD WIDTH="33%" ALIGN="left" VALIGN="top" ><A HREF="chapter-encryption-authentication.html" ACCESSKEY="P" >Prev</A ></TD ><TD WIDTH="34%" ALIGN="center" VALIGN="top" ><A HREF="index.html" ACCESSKEY="H" >Home</A ></TD ><TD WIDTH="33%" ALIGN="right" VALIGN="top" ><A HREF="x2371.html" ACCESSKEY="N" >Next</A ></TD ></TR ><TR ><TD WIDTH="33%" ALIGN="left" VALIGN="top" >Encryption and Authentication</TD ><TD WIDTH="34%" ALIGN="center" VALIGN="top" ><A HREF="chapter-encryption-authentication.html" ACCESSKEY="U" >Up</A ></TD ><TD WIDTH="33%" ALIGN="right" VALIGN="top" >Support in kernel (ESP and AH)</TD ></TR ></TABLE ></DIV ></BODY ></HTML >