1. IPSEC MODES OF OPERATION 2. IPSec Implementation Options 3. IPSec Mandatory Algorithms 4. Security Association 5. ISAKMP SA 6. Security Parameter index (SPI) 7. Selectors 8. SA Database (SAD) 9. Security Policy Database (SPD)

1. 1
IP Security
Part - 2
Mr. RAJASEKAR RAMALINGAM
Faculty - Department of IT, College of Applied Sciences – Sur,
Post Box: 484 Post Code: 411, Sultanate of Oman.
vrrsekar@yahoo.com

2. 2
Presentation Path
1. IPSEC MODES OF OPERATION
2. IPSec Implementation Options
3. IPSec Mandatory Algorithms
4. Security Association
5. ISAKMP SA
6. Security Parameter index (SPI)
7. Selectors
8. SA Database (SAD)
9. Security Policy Database (SPD)

3. 3
1. IPSEC MODES OF OPERATION
1. TRANSPORT MODE
a) AH Protection for upper layer protocols and
selective IP header fields
b) In this mode, ESP does not protect IP header
c) Used for host-to-host connection; Gateways
acting as host can use for network management
2. TUNNEL MODE
a) Protects the entire IP datagram
b) Source and destination IP address are often
different from those in the header of the original
datagram.
c) Generally used between two gateways; but can be
used between hosts

4. 4
IPSec Tunnel Mode
IPSec Tunnel Mode
Host 1
IPSec Tunnel Mode Host 2
Gateway 1 Gateway 2
SSL and IPSec Transport Mode
IPSec Tunnel Mode Most popular and appropriate
security solution in the data plane
Transport and Tunnel Mode

5. 5
IPsec Tunnel Mode vs. Transport Mode
TunnelModeTransportMode
Orig IP
Header
Orig IP
Header
IPSec
header
IPSec
header TCP header
TCP header
Data
Data
IPSec
header
IPSec
header
Orig IP
Header
Orig IP
Header TCP header
TCP header
Data
Data
Insecure
Network
Insecure
Network
Original
Media Access
Payload
Original IP
Media Access
Payload
Original IP
TCP/IP
Payload
Media Access
ESP(Security)
Original IP
TCP/IP
Original IP
Media Access
ESP(Security)
Tunnel IP
Payload
Media Access
Original IP
Tunnel IP
Payload

6. 6
2. IPSec Implementation Options
1. END HOST
a) A Native Stack: IPSEC tunnel and transport
modes are directly integrated into IP stack by OS
vendors
b) A Replacement Stack: A third party vendor writes
entire drop-in replacement for original stack
c) A bump in the stack: IPSEC will be inserted into
the native stack
2. GATEWAY
a) A bump in the wire: Encrypting unit transparent to
other network devices
b) Integrated Gateway: Provides enhancements to IP
router or firewall.

7. 7
3. IPSec Mandatory Algorithms
* DES in CBC mode
* HMAC with MD5
* HMAC with SHA-1
* NULL Authentication algorithm
* NULL Encryption algorithm

8. 8
4. Security Association
c) A typical SA Record will have
> Authentication and Encryption keys
> Algorithms and modes
> Key life times
> Initialisation Vectors
> Source IP Addresses
a) SA contains information about authentication,
encryption and associated keys
b) SA is identified with SPI, destination IP address and
security protocol

9. 9
5. ISAKMP SA
• For VPN connection, ISAKMP negotiates terms and
conditions of communication to authenticate and
share connection properties
• ISAKMP uses cookies for maintaining the SA
• ISAKMP SAs are duplex and caters for two systems

10. 10
IPSec SA
• IPSec SA is defined with three components:
1. SPI
2. Destination IP Address
3. Security protocol identifier (50 or 51)
• SA are managed by SAD and SPD
• IPSec SA is simplex and requires two SAs between
two systems
• SPD uses selectors to map traffic to a policy, which
ultimately maps to an SA that is maintained in the
SAD

11. 11
IPSEC SA Example
SPI 2916
AH Algorithm Mode Keyed
AH Transform RFC 1828
AH Algorithm MD5
AH Key(s) 128-bit MD5 key
AH Mode Entire Datagram
ESP Algorithm DES
ESP Algorithm Mode CBC
ESP Mode Transport
ESP Synch/Init Vector Size 64
ESP Transfrom RFC 1829
ESP Key(s) 56-bit DES Key
Lifetime
Absolute time in
UNIX format

12. 12
6. Security Parameter index (SPI)
 SPI allows multiplexing of SAs to a single gateway
SPI enables to map the incoming packet to an SA
SPI distinguishes different SAs terminating at the
same destination with same IPSec protocol
SPI provides a mechanism for identifying the first
SA that applies to the particular packet.
Selectors are used further identification of SA

13. 13
7. Selectors
2) A selector identifies an attribute of the
communication to determine the alignment with an
SA or SAs
3) The information in the selectors can be destination
IP address, source IP address, upper layer protocols
and service ports
1) IP traffic is mapped to IPSec policies by selectors
4) In tunnel mode, selectors information is obtained
after processing the ESP with SA information
5) In transport mode, there is no inner IP header
information and original SPD information is used.

14. 14
8. SA Database (SAD)
• Each SA has an entry in the SAD and SA entries are indexed
as destination IP address, IPSec protocol and SPI
• SAD contains nine parameters:
1. Sequence number counter for outbound packet
2. Sequence number overflow counter
3. A 32-bit anti-replay window
4. Life time of the SA
5. The algorithms used in the AH and associated key
6. The algorithms used in the authenticating portion of the ESP header
7. The algorithm used in the encryption of the ESP and its associated key
8. IPSec modes of operation: transport or tunnel
9. Path MTU

15. 15
9. Security Policy Database (SPD)
• IPSec allows different policies for different users
• Policies are maintained in a Security Policy Database
• SPD defines the following actions
1) Discard - do not let this packet in or out
2) Bypass - do not apply security services on these
packets
3) Apply - apply security services on outbound packets
and check for security on inbound packets.
• IP traffic is mapped to IPSec policy by selectors.
 Destination IP address, Source IP address, name,
upper layer protocol, destination and source ports
and data sensitivity level.

16. 16
IPSEC SPD Example
IP Source Address 128-bit Ipv6 address Value
Protocol TCP
SPI 2916
IP Destination Address 128-bit Ipv6 address Value
UserID UNIX UID
TCP/UDP Destination port 23
TCP/UDP Source port 1234

17. 17
Thank you