Professional Documents
Culture Documents
INSTITUTE OF TECHNOLOGY
DEPARTMENT OF COMPUTER SCIENCE
GRADUATE PROGRAM IN COMPUTER SCIENCE
This paper is prepared for Computer and Network Security course taught by Henock
Mulugeta(PhD)
Abstract
IPsec (Internet Protocol Security) is a framework for a set of protocols for security at the network or
packet processing layer of network communication. Earlier security approaches have inserted
security at the Application layer of the communications model. IPsec is said to be especially useful
for implementing virtual private networks and for remote user access through dial-up connection to
private networks. IP security (IPSec) is a capability that can be added to either current version of the
internet protocol (IPv4 or IPv6), by means of additional headers. IPsec encompasses three
functional areas authentication, confidentiality and key management. Authentication makes use of
HMAC message authentication code. Authentication mode can be applied to the entire original IP
packet (tunnel mode) or to all of
These issues are known as data integrity, confidentiality, and authentication. In addition, replay
protection prevents acceptance of a resent packet. Therefore, there are different network security
protocols widespread use for protecting private and public networks such as IP Security(IPSec),
Transport Layer Security(TLS) and Secure Shell(SSH) . Hence, only IPsec protects all application
traffic over an IP network. Applications can be automatically secured by IPsec at the IP layer.
Designed by the Internet Engineering Task Force (IETF) for the Internet Protocol, IPSec supports
network-level authentication, data integrity, and encryption. IPSec integrates with the inherent
security of the IP datagram to provide the ideal platform for safeguarding intranet and Internet
communications. Because IP Security is deployed below the transport level, network managers (and
software vendors) are spared the trouble and expense of trying to deploy and coordinate security
one application at a time. The IPSec framework does not specify exactly which encryption
algorithms must be used by its implementations. Instead, it provides an empty infrastructure where
the desired algorithms may be set. This actually is a smart design decision, because it allows the
implementations to be modular, customizable for specific problems and easily up gradable with new
algorithms. A standard set of default algorithms is specified by the IETF in order to foster the early
adoption of IPSec.
IP security refers to security mechanism implemented at the IP (Internet Protocol) Layer to ensure
integrity, authentication and confidentiality of data during transmission in the open Internet
environment. Internet Protocol Security (IPsec) is a protocol suite for secure Internet Protocol (IP)
communications that works by authenticating and encrypting each IP packet of a communication
session.
IPSec is based on an end-to-end security model, meaning that the only computers that must know
about the traffic being secured are the sending and receiving computers. Each handles security at its
respective end, with the assumption that the medium over which the communication takes place is
not secure. Any computers that only route data from source to destination are not required to
support IPSec. This model allows IPSec to be successfully deployed for your existing enterprise
scenarios:
Local area network (LAN): client/server, peer to peer.
Wide area network (WAN): router to router, gateway to gateway.
Remote access: dial-up clients; Internet access from private networks.
1.2 Goals and Objective of IP Security
IP Security is designed to provide interoperable, high quality, cryptographically-based security for
IPv4 and IPv6.
integrity, data origin authentication, protection against replays (a form of partial sequence integrity),
confidentiality (encryption) and limited traffic flow confidentiality. These services are provided at
the IP layer, offering protection for IP and/or upper layer protocols.
AH
ESP
Authentication Header
Encapsulating Security
Payload
IKE
The Internet Key Exchange
IPSec provides security in three situations: Host-to-host, host-to-gateway and gateway-to-gateway.
IPsec uses the following protocols to perform various functions:
Authentication Headers (AH) provide connectionless data integrity and data origin
authentication for IP datagrams and provides protection against replay attacks.
Encapsulating Security Payloads (ESP) provide confidentiality, data-origin authentication,
connectionless integrity, an anti-replay service (a form of partial sequence integrity), and
limited traffic-flow confidentiality.
Security Associations (SA) provide the bundle of algorithms and data that provide the
parameters necessary for AH and/or ESP operations. The Internet Security Association and
Key Management Protocol (ISAKMP) provides a framework for authentication and key
exchange, with actual authenticated keying material provided either by manual configuration
with pre-shared keys, Internet Key Exchange (IKE and IKEv2), Kerberized Internet
Negotiation of Keys (KINK), or IPSECKEY DNS records.
1.3.1 Authentication Header
The authentication header provides support for data integrity and authentication of IP packets. The
data integrity feature ensures that undetected modification to the content of a packet in transit is not
possible. The authentication feature enables an end system or network device to authenticate the
user or application and filter traffic accordingly; it also prevents the address spoofing attacks
observed in today's Internet.
IPSec Authentication Header
Authentication is based on the use of a Message Authentication Code (MAC); hence the two parties
must share a secret key. The authentication header consists of the following fields :
Next Header (8 bits): This field identifies the type of header immediately following this
header.
Payload Length (8 bits): This field gives the length of the authentication header in 32-bit
words, minus 2. For example, the default length of the authentication data field is 96 bits, or
three 32-bit words. With a three-word fixed header, there are a total of six words in the
header, and the Payload Length field has a value of 4.
Reserved (16 bits): This field is reserved for future use.
Security Parameters Index (32 bits): This field identifies a security association.
Sequence Number (32 bits): This field contains a monotonically increasing counter value.
Authentication Data (variable): This variable-length field (must be an integral number of
32-bit words) contains the Integrity Check Value (ICV), or MAC, for this packet.
1.3.2 Encapsulating Security Payload
The encapsulating security payload provides confidentiality service, including confidentiality of
message contents and limited traffic flow confidentiality. As an optional feature, ESP can also
provide the same authentication services as AH.
Figure shows the format of an ESP packet. It contains the following fields:
Padding (0-255 bytes): Extra bytes that may be required if the encryption algorithm requires
the plaintext to be a multiple of some number of octets
Pad Length (8 bits): Indicates the number of pad bytes immediately preceding this field
Next Header (8 bits): Identifies the type of data contained in the payload data field by
identifying the first header in that payload (for example, an extension header in IPv6, or an
upper-layer protocol such as TCP)
IPv6 extensions header that are present, with the possible exception of the destination options
header, which may be included in the protection.
ESP in transport mode encrypts and optionally authenticates the IP payload but not the IP header.
AH in transport mode authenticates the IP payload and selected portions of the IP header.
Tunnel Mode
Tunnel mode provides protection to the entire IP packet. To achieve this, after the AH or ESP fields
are added to the IP packet, the entire packet plus security fields is treated as the payload of the new
outer IP packet with a new outer IP header. The entire original or inner packet travels through a
tunnel from one point of an IP network to another no routers along the way are able to examine the
inner IP header .because the original packet is encapsulated the new larger packet may not have
totally different source and destination address adding to the security
ESP in tunnel mode encrypts and optionally authenticates the entire inner IP packet, including the
inner IP header. AH in tunnel mode authenticates the entire inner IP packet and selected portions of
the outer IP header.
AH
ESP
ESP with Authentication
Transport Mode SA
Authenticates IP payload and
selected portions of IP header
and IPv6 extension headers
Encrypts IP payload and any
IPv6 extension header
Encrypts IP payload and any
IPv6 extension header
Tunnel Mode SA
Authenticates entire inner IP
packet plus selected portions of
outer IP header
Encrypts inner IP packet
Encrypts inner IP packet
Authenticates inner IP packet
Automated: An automated system enables the on demand creation of keys for SAs and facilities
the use of keys in a large distributed system with an evolving configuration.
1.6 Conclusion
IP Security importance is growing, but unfortunately its operation imposes a significant burden on
the encrypting devices. Furthermore, certain applications may suffer from the increase in latency
(i.e., the time required to pass through an IPSec network device) due to the extra processing.
Finally, at a time when network security is increasingly vital, IPSec makes it easy for network
managers to provide a strong layer of protection to their organization's information resources.
1.7 Recommendation
The standard Internet communication protocol is completely unprotected, allowing hosts to inspect
or modify data in transit. Today's Internet is primarily comprised of
unreliable IP networks because of this inherent lack of security, the Internet is subject to various
types of threats. Adding IPSec to the system will resolve this limitation by providing strong
encryption, integrity, authentication and replay protection.
1.8 Bibliography
1.
2.
3.
4.
5.
6.
7.