Professional Documents
Culture Documents
Feleke IPSec 2023
Feleke IPSec 2023
Topic : IP Security
After completing this topic and solving the review questions, you will be able to:
Define IPSecurity.
List down applications of IPSec ,
Explain why IPSec has been designed (or introduced)?
Describe the general benefits of IP Security .
Discuss how IPSec provides security?
Compare IPSec operation modes (Tunnel mode and transport mode),
Identify the IPSec policy applied to each IP packet,
Explain about IPSec authentication header (AH) format when used in IPv4 ,
Describe IPSec Encapsulating Security Payload (ESP) format when used in IPv4 ,
Discuss security issues with IPSec
Comparing IPsec versus SSL/TLS
IPsec provides secure communications over LAN, private and public WANs and the
Internet.
1. IP-level security
The authentication mechanism ensures that the source mentioned in the received packet
header and the original transmitted source are the same.
The integrity mechanism guarantees (or assures) that in the journey of the packet, it has not
been modified. That means, the received packet has not been modified in transit.
Confidentiality permits (or enables) communicating nodes to encrypt messages and thereby
preventing eavesdropping by third parties.
The replay protection ensures that a third party cannot seize a datagram and play it back
sometime later.
The key management facility is concerned with the exchange of keys, used for
encrypting/decrypting messages, in a secure manner.
2. Applications of IPSec
The application of IPsec varies in the capability of providing a secure communication across a
LAN, across private and public WANs, and across the Internet. Examples of its use include:
1. Secure connection between different branch offices of the same company over the Internet:
A VPN (Virtual private network) can be erected by a company to have a secure connection
between the branch offices over the Internet. This enable the company to:
Rely (or depend) heavily on the Internet),
Reduce its need for private networks,
Saving costs and network management overhead.
2. Secure remote access to a distant Intranet over an insecure medium (Internet): With the
help of a system which is outfitted with IP security protocols, an employee can make a local
call to an Internet Service Provider (ISP) and gain secure access to a company's intranet.
This reduces the cost of toll charges for traveling employees and telecommuters.
3. Set up secure connection between peers (or partners): IPsec can be used to establish secure
communication within and outside network connectivity with associates of other
institutions.
4. Ensuring security for E-commerce applications: IPsec ensures that all communication
selected by the network administrator is both encrypted and authenticated, adding an extra
layer of security.
• Anti-replay protection
– Optional; the sender must provide it but the recipient may ignore
• Key management
– IKE – session negotiation and establishment
– Sessions are rekeyed or deleted automatically
– Secret keys are securely established and authenticated
In a firewall/router IPSec provides strong security to all traffic crossing the perimeter
Is below transport layer, hence transparent to applications
Can be transparent to end users
Can provide security for individual users
In other words, applying IPSec security services is largely a network management decision.
5. IP Security Architecture
Regarding the IPSec specification, lot of documents have been published by the IP Security
Protocol Working Group set up by the Internet Engineering Task Force (IETF). The most
In Figure above, IPSec tunnel mode only protects traffic between two IPSec – Gateways at
different sites. These gateways send traffic securely through the Internet between Themselves.
Tunnel mode creates a site-to-site VPN.
packet. The IPsec authentication header authenticates the entire original IP packet.
Before ESP
Before ESP
Note:
When using tunnel mode , a new packet is constructed with IPSec header information, and the
entire original packet , including its header, is encapsulated as the payload of the new packet.
Tunnel mode is commonly used to create “Virtual private networks” (VPNs).
8. IP Security Policy
An IPsec policy is applied to each IP packet that traverses between the source and the
destination, which is decided by the interaction of two databases, namely, the Security
Association Database (SADB) and the Security Policy Database (SPD).
Answer: SAs contain encryption keys, information on which algorithms are to be used, and
SAs are uni-directional, so each party must create an SA for inbound and outbound traffic.
IPSec provides protection for outgoing packets and verifies or decrypts incoming packets
by using a “Security Parameter Index (SPI) “ field stored in the IPSec packet header, along
with the destination or source IP address, to index into the SADB and perform actions
Whether it is using AH or ESP protocol, the sender and the receiver must agree on a key
This set of agreement between the hosts constitutes the Security Association (SA).
The SA separates the key management and the security mechanisms from each other.
The authentication header (AH) protocol, shown in fig. below, is added to an IPSec packet
before the payload, which either contains the original IP payload or the entire encapsulated IP
packet, depending on whether the transport or tunnel mode is used.
The IPsec AH format contains the following fields and illustrated in Figure below:
Next header: It is used to link the headers and contain a header number.
Payload length: This field mentions the length of the AH in 32-bit units with 2 subtracted
for consistency.
Reserved: It is not in use, so it is set as zero by default.
SPI: Security Parameter Index is a 32-bit value which identifies the SAs used for the
datagram.
Sequence number: This number uniquely identifies each datagram.
Authentication data: This field contains ICV (Integrity Check Value)
protects only the intermediate devices and not the message communication.
That means, AH provides integrity and origin authentication, it does nothing to guarantee
While AH places a header before the payload (please refer the diagram on page 12), ESP
To provide encryption, ESP uses a specified “block cipher” (typically AES, 3DES, or
Blowfish) to encrypt either the entire original IP packet or just its data, depending on
ESP also provides optional authentication in the form of “authentication data” field in the
ESP trailer.
Unlike AH, ESP authenticates the “ESP header and payload” , but not the IP header.
This provides slightly “weak security” in that it does not protect the IP header from
source IP addresses.
ESP Format
ESP has various fields which are divided into the following three components:
1. ESP header: The placement of ESP Header is based on the types of modes it uses and works
as in the AH Header. In front of the encrypted data, ESP header has two fields, one is the
SPI and other is the sequence number.
2. ESP trailer: This contains padding and pad length field for the alignment ofthe encrypted
data that is placed after the encrypted data and it has the next header field for ESP.
3. ESP authentication data: The ICY is calculated and placed as it is in the AH protocol.
In the encryption phase, ESP holds the encrypted data and the padding field is used to authenticate
the encrypted data. The following are the fields that are included in ESP.
SPI: This field is a 32-bit value and when combined with the destination address and
security protocol type, it determines the SA of this datagram.
Sequence number: This sequence number is used to give protection against replay attacks.
Next header: It is used to link the headers and contains a header number.
2. Data modification: Once the data is read by an attacker, the contents may be modified
without the knowledge of the data originator or the receiver. The data which is not
confidential lacks the value.
3. Identity spoofing (IP address spoofing): Every system is identified in the network by the
valid IP addresses and in some cases the IP addresses are falsely generated by some
organizations intranet using special algorithms which are pretended to be valid and get the
identity in the network. This is called IP spoofing. Using this IP addresses, the attackers
gain access to the network and modifies the data and the routing paths and makes the
system exhausted to inconvenience.
5. Man-in-the-middle attack: This shows how an intruder enters, listens, tampers and
controls the communication between two parties exchanging sensitive information which
is unknown by other parties.
6. Denial-of-service attack: This attack will exhaust the total bandwidth of the system
and make the entire service unavailable to its intended users. After gaining access to a
network, an attacker may attack the applications and make the functions abnormal or
send a flood of sync messages and exhaust the available bandwidth or block the access
gain and network resources for the genuine users.
7. Sniffer attack: The sniffer tool is available to monitor the packet exchanges between the
users. It shows the data encapsulated in a packet and can be opened and read if the packets
are not provided with security mechanisms. Using a sniffer, an attacker may determine the
access permissions and the related information and corrupt the network or read private
data.
13. Summary
Review Questions
1. Define the term IPSecurity.
2. Write down the applications of IPSec.
3. Name the general benefits of IPSec .
4. What do you mean by IP Security policy?
5. Compare between IPSec transport mode and IPSec tunnel mode.
6. Write short notes on Security Association Database (SAD) and the Security Policy Database (SPD).
7. Briefly explain IPsec Authentication Header (AH).
8. Write a short note on AH format.
9. Discuss on AH datagram placement.
10. Discus about IPsec Encapsulating Security Payload (ESP).
11. Compare AH with ESP.
12. With the help of a neat diagram, explain the ESP format.
13. Write about ESP field placement.
14. List down the security issues of IPSec (where IPSec is need).