IP Security

By: Dr. Juita T. Raut

SDSM College, Palghar
 Overview
• A set of protocols and services which provides an entire security solution and also
multiple protection types for IP networks is known as IPSec.
• Protection mechanisms by IPSec:
• Client data encryption
• Message integrity
• Protection for types of security attacks
• Capability to negotiate the security algorithms
• Two security modes:- tunnel, transport
 Application of IPSec
1) Secure remote access over the internet
2) Secure branch office connectivity over the internet
3) Improving Electronic commerce security
4) Establishing Extranet and Intranet connectivity with partners
 Benefits of IPsec
When IPsec is implemented in a firewall or router, it provides strong security that can be applied to all traffic crossing the
perimeter. Traffic within a company or workgroup does not incur the overhead of security-related processing.
• IPsec in a firewall is resistant to bypass if all traffic from the outside must use IP and the firewall is the only means of
entrance from the Internet into the organization.
• IPsec is below the transport layer (TCP, UDP) and so is transparent to applications. There is no need to change
software on a user or server system when IPsec is implemented in the firewall or router. Even if IPsec is implemented in end
systems, upper-layer software, including applications, is not affected.
• IPsec can be transparent to end users. There is no need to train users on security mechanisms, issue keying material on
a per-user basis, or revoke keying material when users leave the organization.
• IPsec can provide security for individual users if needed. This is useful for offsite workers and for setting up a secure
virtual subnetwork within an organization for sensitive applications.
 IPSec Services
• Access Control
• Message Integrity
• Entity Authentication
• Confidentiality
• Replay Attack Protection
Modes of Operations
• Tunnel mode: In this mode, entire IP packet is encrypted first. This will
becomes data component of a new and large size IP packet. This mode is
frequently used in IPsec VPN site to site topology.
• Transport mode: In this mode, IPsec header is inserted into original IP
packet. No new packet is being created here. This mode works well in
networks where increase in packet size is a concern. It is used in remote
access VPN topology type.
 IPSec Architecture

IPSec (IP Security) architecture uses

two protocols to secure the traffic or
data flow. These protocols are ESP
(Encapsulation Security Payload) and
AH (Authentication Header). IPSec
Architecture includes protocols,
algorithms, DOI, and Key Management.
All these components are very
important in order to provide the three
main services:
•Confidentiality
•Authentication
•Integrity
• 1. Architecture: Architecture or IP Security Architecture covers the general
concepts, definitions, protocols, algorithms, and security requirements of IP
Security technology.
• 2. ESP Protocol: ESP(Encapsulation Security Payload) provides a
confidentiality service. Encapsulation Security Payload is implemented in
either two ways:
• ESP with optional Authentication.
• ESP with Authentication.
•Security Parameter Index(SPI): This parameter is
used by Security Association. It is used to give a unique
number to the connection built between the Client and
Server.
•Sequence Number: Unique Sequence numbers are
allotted to every packet so that on the receiver side
packets can be arranged properly.
•Payload Data: Payload data means the actual data or
the actual message. The Payload data is in an encrypted
format to achieve confidentiality.
•Padding: Extra bits of space are added to the original
message in order to ensure confidentiality. Padding
length is the size of the added bits of space in the
original message.
•Next Header: Next header means the next payload or
next actual data.
•Authentication Data This field is optional in ESP
protocol packet format.
• 3. Encryption algorithm: The
encryption algorithm is the document
that describes various encryption
algorithms used for Encapsulation
Security Payload.
• 4. AH Protocol: AH (Authentication
Header) Protocol provides both
Authentication and Integrity service.
Authentication Header is implemented in
one way only: Authentication along with
Integrity.
• Authentication Header covers the packet format and general issues related to the
use of AH for packet authentication and integrity.
• 5. Authentication Algorithm: The authentication Algorithm contains the set of
documents that describe the authentication algorithm used for AH and for the
authentication option of ESP.
• 6. DOI (Domain of Interpretation): DOI is the identifier that supports both AH
and ESP protocols. It contains values needed for documentation related to each
other.
• 7. Key Management: Key Management contains the document that describes how
the keys are exchanged between sender and receiver.
• Working of ESP:
1. Encapsulating Security Payload supports both main Transport layer protocols: IPv4 and IPv6 protocols.
2. It performs the functioning of encryption in headers of Internet Protocol or in general say, it resides and
performs functions in IP Header.
3. One important thing to note here is that the insertion of ESP is between Internet Protocol and other
protocols such as UDP/ TCP/ ICMP.
• Modes in ESP:
• Encapsulating Security Payload supports two modes, i.e. Transport mode, and tunnel mode.
• Tunnel mode:
1. Mandatory in Gateway, tunnel mode holds utmost importance.
2. Here, a new IP Header is created which is used as the outer IP Header followed by ESP.
• Transport mode:
1. Here, IP Header is not protected via encryption or authentication, making it vulnerable to threats
2. Less processing is seen in this mode, so the inclusion of ESP is preferred
• Advantages:
• Below listed are the advantages of Encapsulating Security Payload:
1. Encrypting data to provide security
2. Maintaining a secure gateway for data/ message transmission
3. Properly authenticating the origin of data
4. Providing needed data integrity
5. Maintaining data confidentiality
6. Helping with antireplay service using authentication header
• Disadvantages:
• Below listed are the disadvantages of Encapsulating Security Payload:
1. There is a restriction on the encryption method to be used
2. For global use and implementation, weaker encryptions are mandatory to use
ESP structure is composed of the following parts as shown below
:
• 1. Security Parameter :
• Security parameters are assigned a size of 32 bits for use
• Security Parameter is mandatory to security parameter in ESP for security links and associations
• 2. Sequence Number:
• The sequence number is 32 bits in size and works as an incremental counter.
• The first packet has a sequence number 1 assigned to it whenever sent through SA
• 3. Payload Data:
• Payload data don’t have fixed size and are variable in size to use
• It refers to the data/ content that is provided security by the method of encryption
• 4. Padding:
• Padding has an assigned size of 0-255 bytes assigned to it.
• Padding is done to ensure that the payload data which needs to be sent securely fits into the
cipher block correctly, so for this padding payloads come to the rescue.
• 5. Pad Length:
• Pad Length is assigned the size of 8 bits to use
• It is a measure of pad bytes that are preceding
• 6. Next Header:
• The next header is associated with a size of 8 bits to use
• It is responsible for determining the data type of payload by studying the first header
of the payload
• 7. Authentication Data:
• The size associated with authentication data is variable and never fixed for use-case
• Authentication data is an optional field that is applicable only when SA is selected. It
serves the purpose of providing integrity