Transport and Tunnel (B)
IPsec can be implemented in a host-to-host transport mode, as well as in a network tunneling mode.
In transport mode, only the payload of the IP packet is usually encrypted and/or authenticated. The routing is intact, since the IP header is neither modified nor encrypted.
In tunnel mode, the entire IP packet is encrypted and/or authenticated. It is then encapsulated into a new IP packet with a new IP header. Tunnel mode is used to create virtual private networks for network-to-network communications, host-to-network communications and host-to-host communications.