IP Level Security: IPSEC
|
|
| IP Security (IPSec) is a collection of protocols designed by the IETF (Internet Engineering Task Force) to provide security for a packet at the IP level. |
|
| IPSec does not define the use of any specific encryption or authentication method. Instead, it provides a framework and a mechanism: it leaves the selection of the encryption, authentication, and hashing methods to the user. |
|
| Security Association |
|
| IPSec requires a logical connection between two hosts using a signaling protocol, called Security Association (SA). |
|
| In other words, IPSec needs the connectionless IP protocol changed to a connection-oriented protocol before security can be applied. |
|
| An SA connection is a simplex (unidirectional) connection between a source and destination. |
|
| . If a duplex (bi-directional) connection is needed, two SA connections are required, one in each direction. An SA connection is uniquely defined by three elements: |
|
| 1. A 32-bit security parameter index (SPI), which acts as a virtual circuit identifier in connection-oriented protocols such as Frame Relay or ATM. |
|
| 2. The type of the protocol used for security. We will see shortly that IPSec defines two alternative protocols: AH and ESP. |
|
| 3. .The source IP address. |
|
| Two Modes |
|
| IPSec operates at two different modes: transport mode and tunnel mode. The mode defines where the IPSec header is added to the IP packet. |
| |
| Transport Mode |
|
| In this mode, the IPSec header is added between the IP header and the rest of the packet, as shown in Figure. |
|
 |
|
| Two Security Protocols |
|
| IPSec defines two protocols: Authentication Header (AH) protocol and Encapsulating Security Payload (ESP) protocol. We discuss both of these protocols here. |
|
| Authentication Header (AH) Protocol |
|
| The Authentication Header (AH) protocol is designed to authenticate the source, host and to ensure the integrity of the payload carried by the IP packet. |
|
| The protocol calculates a message digest, using a hashing function and a symmetric key, and inserts the digest in the authentication header. |
|
| The AH is put in the appropriate location based on the mode (transport or tunnel). |
|
| Figure shows the position of the authentication header in the transport mode. |
|
 |
|
| Encapsulating Security Payload |
|
| The AH protocol does not provide privacy, only source authentication and data integrity. |
|
| IPSec later defined an alternative protocol that provides source authentication, integrity, and privacy called Encapsulating Security Payload (ESP). |
|
| ESP adds a . Header and trailer. Note that ESP’s authentication data are added at the end of packet which makes its calculation easier. |
|
| Figure 31.4 shows the location of the ESP header and trailer. |
|
 |