Professional Documents
Culture Documents
Layer 4
Layer 7
Protection
at IP layer
It needs to be
implemented in a sender.
Protection via Internet
a dedicated
All packets TCP port
IP
No Protection
via other TCP
ports
Secure transport:
Internal connection: • Only protecting the message
• May or may not need protection contents
Router
Public network,
Network Site 1 e.g. the Internet. Network Site 2
Secure tunnel:
Leased line: • Protecting the whole message
• A private network (PN) including header and contents
• At physical layer, expensive, but • It may emulate a leased line, i.e.,
physically isolated and therefore secure virtual private network (VPN).
© 2020.2 WSU Lecture No. 3-5
Network Security: Lecture 3
• Confidentiality protection
• IPsec provides methods to implement secure
transport between two end entities
tunnel between two network sites
… IPsec …
• [Figure 9.1 An IPsec VPN Scenario] IPsec Trailer
Public network,
Network Site 1 e.g. the Internet. Network Site 2
= protected
= added
new IP Header IPsec Header IP Header IP Payload
… IPsec
• For this lecture, we will assume that the two
communicating entities have already:
Authenticated each other
Established session keys
Negotiated and configured a secure communication channel
• The above are usually done by using the corresponding
IPsec IKE protocols to be discussed in the next lecture.
Related RFCs for IKE version 1:
RFC2407: The Internet IP Security Domain of Interpretation
for ISAKMP
RFC2408: Internet Security Association and Key Management
Protocol (ISAKMP)
RFC2409: The Internet Key Exchange (IKE)
IPsec Services
IPsec Headers
• Security services are provided by one of the IPsec
protocols.
A generic format of an IP packet after it is processed by IPsec:
New IP header or
IPsec IPsec
slightly modified (New) IP payload
header trailer
original IP header
Security Associations
IPsec-secured connection
using an IPsec SA
IPsec SA Parameters …
… IPsec SA Parameters
• AH Information
Message authentication algorithm, keys, key lifetimes, and related
parameters being used by the AH protocol
• ESP Information
Encryption and message authentication algorithms, keys, initial
values, key lifetimes, and ESP related parameters
• Lifetime of this Security Association
When it expires, a secure channel using this SA is terminated
• IPsec Protocol Mode
Tunnel, transport, or wildcard
wildcard means which mode to use is determined during the
actual operation of the secure connection.
• Path MTU
Any observed path maximum transmission unit.
Mode of Operation …
… Mode of Operation
• Transport mode
provides secure transport
only protects the message contents, i.e., the IP packet payload
does not protect other information about the message, i.e., IP
header
• Tunnel mode
provides secure tunnel
protects the whole IP packet including IP header and payload
needs to add a new IP header, since the original IP header is hidden
by encryption
is, usually, used by router/firewall to protect network traffic which
is transmitted to other networks
protects the original end entities against traffic analysis.
It hides the original IP header if encryption is used.
IP Header is ESP
IP Header IP Payload ESP Trailer
slightly modified Header
New IP ESP
IP Header IP Payload ESP Trailer
Header Header
Output IP Packet
New IP
New IP Payload
Header
ESP authenticated
ESP encrypted
Header
ESP
Bit: 0 8 16 24
Security Parameter Index (SPI)
ESP Payload
Sequence Number
ESP Payload (variable length)
ESP
Trlr
ESP Authentication Data (variable length)
Auth
ESP
• ESP inserts ESP fields around the original input data.
• ESP should always do encryption, although a null
encryption algorithm may be specified.
• ESP Authentication Data is called Integrity Check value
(ICV) in the text and in version 2&3’s documentations
© 2020.2 WSU Lecture No. 3-19
Network Security: Lecture 3
Incoming packet
Firewall
new IP Header ESP Hdr IP Header ESP Hdr IP Payload ESP Trlr ESP Trlr ESP Auth
ESP encrypted
ESP Authenticated
Anti-Replay ...
Replay
Message is delayed
Attacker
and resent.
IPsec packet m
Bob IPsec packet m Alice
... N ...
Packet is N-W
considered lost. IPsec packets have N is the largest seq. no.
not arrived. received so far.
... Anti-Replay
Outbound
or
Inbound
SAD
SPD
© 2020.2 WSU Lecture No. 3-27
Network Security: Lecture 3
SPD
… …
IP Header TCP Header TCP Payload
Search
No IPsec SA
IPsec SA entry
IPsec ?
Yes …
IPsec SA entry
IPsec Processing
Assuming an
… IPsec SA is
already created;
if not IKE needs
SAD to be done.
IP packet IPsec packet
SAD
IP Security Policy
Management
• Life times of the policy and session keys for the IKE
• List of cryptographic methods used to protect the IKE
• Traffic selector
Specifying what traffic to be protected.