IPSec – IP Security Protocol

ByArchis Raje

What is IPSec IP Security – set of extensions

developed by IETF to provide privacy and authentication to IP.

To protect the contents of an IP datagram, the data is transformed using cryptography.

Why do we need IPSec?Because IP is insecure – you can• Forge IP address• modify packet contents• replay old content• inspect packet content during transit

How does it work?combination of - Cryptographic protocols Security mechanisms

What Does IPSec Provide? Access control to network elements. Data origin authentication. Connectionless integrity for protocols

such as UDP. Detection and rejection of replayed

packets. Use of encryption to provide data

confidentiality. Limited traffic flow confidentiality.

Since the IPSec services are offered at the

network layer of the TCP/IP protocol stack, these services can be used by any of the upper-layer protocols such as TCP, UDP, ICMP and IGMP or any application layer protocol.

IPSec provides cryptographic based security for ipv4 and ipv6 datagrams.

How?Using two traffic security protocols: Authentication header (AH). Encapsulating security payload (ESP).

And through the use of cryptographic-key management procedures and protocols such as -

Internet key exchange (IKE) protocol.

Together, the security protocols

provide - Data confidentiality Limited traffic flow confidentiality Connectionless integrity Data origin authentication Anti-replay service

Modes of Operation of AH and ESP Transport mode Tunnel mode

Transport Mode

Authenticated

IP Header

AH transformation:

IP Header

TCP/UDP Header

TCP/UDPHeaderAH Header

Upper layerpayload

Upper layerpayload

Transport ModeESP transformation:

Encrypted

Authenticated

IP Header

IP Header

TCP/UDP Header

TCP/UDP Header

Upper layerpayload

Upper layerpayload

ESP Header

ESPTrailer

ESPauth

Tunnel ModeAH transformation:

IP HeaderUpper layerpayload

Upper layerpayloadIP Header

TCP/UDP Header

TCP/UDP HeaderIP Header AH Header

Authenticated

Tunnel ModeESP transformation:

Encrypted

Authenticated

IP Header

IP Header IP Header

TCP/UDP Header

TCP/UDP Header

Upper layerpayload

Upper layerpayload

ESP Header

ESPTrailer

ESPauth

Communication The IKE protocol is used to negotiate the

cryptographic algorithm choices, to be utilized by AH and ESP, and put in place the necessary cryptographic keys that the algorithms require.

IPSec can implement different security policy/encryption algorithm for different subnets, nodes, etc.

It does this by the use of Security Association (SA).

Security AssociationAn agreement between communicating peers

on factors such as - IPSec protocol Mode of operation of the protocols (transport

mode or tunnel mode) Cryptographic algorithms Cryptographic keys Lifetime of the keys

SAs are simplex (unidirectional)

SAD – Security Association Database Stores SA parameters communicated by

IKE. Contents are –

Sequence number counter. Sequence counter overflow flag Anti-replay window IPSec protocol mode Path maximum transfer unit (PMTU) Lifetime of the SA

SPD - Security Policy Database Contains policies that are to be applied to

the traffic destined to or originated from a given host or network.

Contents are – Destination IP address Source IP address Transport layer protocol System name: FQDN or email id User ID

Drawbacks Complex - has too many options. Prone to Initialization Vector attacks.