2. IPSecurity
IPsecurity encompasses three functional areas:
1. Authentication
2. Confidentiality
3. Key Management
IPSecurtiy can be implemented by using two protocols
I. ESP (Encapsulating Security Payload)
II. AH (Authentication Header)
3. Encapsulating Security Payload:
ESP can be used to provide
1. Confidentiality
2. Authentication
3. Integrity
Encryption and authentication can be individually done on a packet irrespective of each other
but it is not preferred due to security reasons i.e., only encryption or only authentication may
lead to insecurity.
Now, let us see ESP packet format.
Encapsulating Security Payload:
4. ESP Packet Format
ESP Packet Format :
• ESP Packet size is 32 bits.
• It contains 7 fields and the 7th field is
optional.
FIELDS:
1. Security Parameters Index(SPI).
2. Sequence Number.
3. ESP Payload Data.
4. Padding.
5. Pad Length.
6. Next Header.
7. ESP Authentication Data.
5. Security Parameters Index(SPI):
It is the 32 bit field which determines the security association.
An association is a one-way logical connection between a sender and a receiver that affords
security services to the traffic carried on it.
If a peer relationship is needed for two-way secure exchange, then two security associations are
required.
Client Server
6. Sequence Number:
A monotonically increasing counter value; this provides an anti-replay function.
Every packet is given a unique sequence number.
When a duplicate packet is received again with the help of sequence number it can identify that
it is a duplicate packet and drop that packet.
7. ESP Payload Data:
This is a transport-level segment (transport mode) or IP packet (tunnel mode) that is protected
by encryption.
We will see transport and tunnel modes later…
Payload data, padding, pad length, next header all are encrypted by using one of the encryption
algorithm.
8. Padding:
The Padding field serves several purposes:
If an encryption algorithm requires the plaintext to be a multiple of some number of bytes, the Padding
field is used to expand the plaintext to the required length.
The ESP format requires that the Pad Length and Next Header fields be right aligned within a 32-bit word.
Equivalently, the ciphertext must be an integer multiple of 32 bits. The Padding field is used to assure this
alignment.
Additional padding may be added to provide partial traffic-flow confidentiality by concealing the actual
length of the payload.
9. Pad Length , Next Header, ESP
Authentication Data :
Indicates the number of pad bytes immediately preceding this field.
NEXT HEADER:
1. Identifies the type of data contained in the payload data field.
2. It also tells about next payload.
• ESP Authentication Data / Integrity Check Value :
1. It is optional field.
2. It is a variable-length field that contains the Integrity Check Value which is obtained after applying any
authentication algorithm.
10. Transport and Tunnel Modes:
IPSecurity can be implemented in two ways :
1. Transport Mode.
2. Tunnel Mode.
In Transport mode encryption is directly provided between the two hosts.
In tunnel mode encryption will be done between two gateways.
We have different considerations for IPv4 and IPv6.
Before adding ESP header the original packet will be like this…
12. Transport Mode:
1. In transport mode only the payload will be
Encrypted.
2. Header part will not be Encrypted.
3. In IPv4 and IPv6 ESP header is added after the
original header and a ESP trailer is added at
end of the packet.
13. Tunnel Mode:
1. In tunnel mode the entire packet will be
encrypted including the header part.
2. In IPv4 and IPv6 ESP header is added prior
to the original header.
3. Here new IP header will be added to the
packet.