End-to-end Encryption (e2e)

There are two protocol modes available in IPsec: transport mode and tunnel mode. Transport mode provides End-to-end security# which only protects the IP packet payload. Tunnel mode provides gateway-to-gateway (usually Router owned by the same corporation) security which protects the entire IP packet. However, the traffic after the gateway will not be protected under tunnel mode, and it can’t be set up by normal user. The authentication and encryption will be done slightly different in each mode. In transport mode, authentication and encryption will only be done on the payload (could be susceptible to Traffic Analysis#) and sometimes include a portion of IP header (if using AH only) and IPv6 extension headers. In tunnel mode, authentication and encryption must be done on the entire packet (in AH only tunnel mode SA, it will authenticate a portion of IP header and IPv6 extension headers too). Both mode could be stacked to each other in order to satisfy four cases of SA.

Diameter is a new #Triple A (AAA) protocol standardised by RFC3588 and RFC4005. It is derived from and aim to replace Remote Access Dial-In User Service (RADIUS) (also provides the transition support) with enhancements such as error handling and message delivery reliability. Instead of relying on a central AAA server, it employs a peer-to-peer architecture, which means that every host or node that implements Diameter could act as either a server or client, with additional support of peer discovery via static configuration or dynamic lookup. The protocols in used by Diameter are connection-oriented protocols such as #Transmission Control Protocol (TCP) and Stream Control Transmission Protocol (SCTP) with a maximum attribute data size of 16,777,215 octets (8 bit). It supports both Link Encryption# and End-to-end Encryption (e2e)#.