IP Packets have no inherent security. It is Relatively easy to forge the addresses of IP packets, modify the contents of ip packets, replay old packets, and inspect the contents of Ip packets in transit. Therefore there is no guarantee that IP datagrams received are
From the claimed sender That they contain the original data that the sender placed in them That the original data was not inspected by a third party while the packet was being sent from source to destination.
IPSec is a method of protecting IP datagrams. It provides a standard , robust, extensible mechanism in which to provide security to IP and upper-layer protocols.
IPSecurity (IPSec) is a collection of protocols designed by the Internet Engineering Task Force (IETF) to provide security for a packet at the network level.
In common structure of any security protocols , we need to know which algorithm is used for authentication and encryption/decryption.
Common structure of security protocols
Internet Protocol Security (IPsec) is a protocol suite for securing Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a communication session. IPsec also includes protocols for establishing mutual authentication between agents at the beginning of the session and negotiation of cryptographic keys to be used during the session.
It is implemented in NETWORK layer.
TCp/ip protocol suite and IPSec
general IP Security mechanisms provides
applicable to use over LANs, across public & private WANs, & for the Internet
Benefits of ipsec
in a firewall/router provides strong security to all traffic crossing the perimeter
is resistant to bypass
is below transport layer, hence transparent to applications
can be transparent to end users
can provide security for individual users if desired
additionally in routing applications:
assure that router advertisments come from authorized routers
neighbor advertisments come from authorized routers
insure redirect messages come from the router to which initial packet was sent
insure no forging of router updates
Data origin authentication
Rejection of replayed packets
a form of partial sequence integrity
Limited traffic flow confidentiality
Modes of operation
IPsec can be implemented in a two modes:-
Host-to-host transport mode Network tunnel mode.
Transport mode provides secure connection between two end-points because only the payload (the data you transfer) of the IP packet is usually encrypted and/or authenticated.
IPsec in transport mode does not protect Ipheader.It protects what is delivered from the transport layer to the network layer.
In this mode,theIpsec header and tailer are added to the information coming from the transport layer.The IP header is added later.
It’s simply a secured IP connection.
transport mode in action
Tunnel Mode encapsulates the entire IP packet to provide a virtual "secure hop" between two gateways.Thus it protects the entire IP packet.
Tunnel mode is used when either the sender or the receiver is not a host.
Tunnel mode is more typically used between gateways (routers, firewalls, or standalone VPN devices) to provide a Virtual Private Network (VPN).A secure tunnel is created across an untrusted internet.
Tunnel mode in action
defined by 3 parameters:
Security Parameters Index (SPI)
a bit string
IP Destination Address
only unicast allowed
could one-way relationship between sender & receiver that affords security for traffic flow
d be end user, firewall, router
Security Protocol Identifier
indicates if SA is AH or ESP
has a number of other parameters
seq no, AH & EH info, lifetime etc
have a database of Security Associations
Two protocols are used to provide security:
AUTHENTICATION HEADER PROTOCOLS (AH)
ENCAPSULATION SECURITY PAYLOAD (ESP)
Authentication header protocol(ah)
AH protocol is designed to authenticate the source host, to ensure integrity all or part of the contents of a datagram carried in the IP packet and to guard against replay by attackers.
It uses a hash function and a symmetric key to create message authentication code.
It can be considered analogous to the algorithms used to calculate checksums or perform CRC checks for error detection.
But here AH use a special hashing algorithm and a specific key known only to the source and the destination.
AH performs the computation and puts the result (Integrity Check Value or ICV) into a special header with other fields for transmission.
The destination device does the same calculation using the key the two devices share, which enables it to see immediately if any of the fields in the original datagram were modified (either due to error).
ICV does not change the original data.
Thus the presence of the AH header allows us to verify the integrity of the message, but doesn't encrypt it. Thus, AH provides authentication but not privacy .
AH protocol can be implemented in two mode tunnel mode and transport mode.
AH packet is identified by the protocol field of an IPv4 header and the “Next Header” field of an IPv6 header. It’s IP protocol number is 51.
AH Protocol in transport mode
The addition of an AH follows following steps:
An authentication header is added to the payload with the authentication data field set to 0. Padding is added for hashing function to make length even. Hashing is based on the total packet.Those fields of the IP header which do not change during transmission are included in calculation. (authentication data). They are inserted in AH. The IP header is added after the value of the protocol field is changed to 51.
ENCAPSULATION SECURITY PAYLOAD (ESP)
Encapsulating Security Payload (ESP) is a member of the IPsec protocol suite. Encryption makes ESP bit more complicated.
ESP provides source authentication, data integrity and privacy(confidentiality) and also provides protection against replay attacks.
ESP also supports encryption-only and authentication-only configurations, but using encryption without authentication is strongly discouraged because it is insecure.
Like AH ,ESP also operates in two mode of operation:-tunnel mode and transport mode.
ESP packet is identified by the protocol field of an IPv4 header and the “Next Header” field of an IPv6 header. It’s IP protocol number is 50.
An encryption algorithm combines the data in the datagram with a key to transform it into an encrypted form.Here symmetric encryption algorithm is applied.It means sender and receiver both have same key.
ESP protected IP packet
The ESP procedure follows following steps:
An ESP trailer is added to the payload. The payload and the trailer are encrypted. The ESP header is added. The ESP header,payload and ESP trailer are used to create the authentication data. This data are added after the end of ESP trailer. The IP header is added after the protocol value is changed to 50.
ENCAPSULATION SECURITY PAYLOAD (ESP)
ESP has several fields that are the same as those used in AH, but packages its fields in a very different way. Instead of having just a header, it divides its fields into three components:
ESP Header: This contains two fields, the SPI and Sequence Number, and comes before the encrypted data. Its placement depends on whether ESP is used in transport mode or tunnel mode.
ESP Trailer: This section is placed after the encrypted data. It contains padding that is used to align the encrypted data, through a Padding and Pad Length field. Interestingly, it also contains the Next Header field for ESP.
ESP Authentication Data: This field contains an Integrity Check Value (ICV), computed in a manner similar to how the AH protocol works, for when ESP's optional authentication feature is used. This field provides authentication services similar to those provided by the Authentication Header(AH).
There are two reasons why these fields are broken into pieces like this.
Some encryption algorithms require the data to be encrypted to have a certain block size, and so padding must appear after the data and not before it. That's why padding appears in the ESP Trailer. The ESP Authentication Data appears separately because it is used to authenticate the rest of the encrypted datagram after encryption. This means it cannot appear in the ESP Header or ESP Trailer. In ESP IP header is not included in calculation of authentication data but in AH it is included.
Limitation of IPSec
IPsec cannot provide the same end-to-end security as systems working at higher levels.
IPsec encrypts packets at a security gateway machine as they leave the sender's site and decrypts them on arrival at the gateway to the recipient's site. This does provide a useful security service -- only encrypted data is passed over the Internet -- but it does not even come close to providing an end-to-end service. In particular, anyone with appropriate privileges on either site's LAN can intercept the message in unencrypted form.
IPsec authenticates machines, not users. IPsec uses strong authentication mechanisms to control which messages go to which machines, but it does not have the concept of user ID, which is vital to many other security mechanisms and policies.
IPsec does not stop traffic analysis.
Ipsec provides encryption without authentication using ESP which is very dangerous.
IPsec does not stop denial of service attacks.This attacks aim at causing a system to crash, overload, or become confused so that legitimate users cannot get whatever services the system is supposed to provide.
Data communications and networking by BehrouzForouzan
Computer networks by Andrew Tanenbaum
Cryptography and Network Security by William Stallings