Scribd
Upload
4 views19 pages

Ip Security

The document discusses IP Security (IPSec), which provides security at the IP packet level to protect data from unauthorized access and modification. It highlights the advantages of IPSec, including secure remote access, branch office connectivity, and interconnectivity between organizations, while also detailing its two main services: authentication and confidentiality through the Authentication Header (AH) and Encapsulating Security Payload (ESP) protocols. Additionally, it explains the packet format and modes of operation, including Tunnel Mode and Transport Mode.

Uploaded by

mummuboo2121
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
4 views19 pages

Ip Security

The document discusses IP Security (IPSec), which provides security at the IP packet level to protect data from unauthorized access and modification. It highlights the advantages of IPSec, including secure remote access, branch office connectivity, and interconnectivity between organizations, while also detailing its two main services: authentication and confidentiality through the Authentication Header (AH) and Encapsulating Security Payload (ESP) protocols. Additionally, it explains the packet format and modes of operation, including Tunnel Mode and Transport Mode.

Uploaded by

mummuboo2121
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 19

IP Security

• The IP packets contain data in plain text form. That is, anyone
watching the IP packets pass by can actually access them, read
their contents and even change them.
• We have studied higher-level security mechanisms (such as SSL,
SHTTP, PGP, PEM, S/MIME and SET) to prevent such kinds of
attacks.
• Although these higher-level protocols enhance the protection
mechanisms, there was a general feeling for a long time that
why not secure IP packets themselves? If we can achieve this,
then we need not rely only on the higher-level security
mechanisms.
• The higher-level security mechanisms can then serve as
additional security measures.
we will have two levels of security in this scheme:
• First offer security at the IP packet level itself.
• Continue implementing higher-level security
mechanisms, depending on the requirements.
• In 1994, the Internet Architecture Board (IAB)
prepared a report, called as Security in the Internet
Architecture (RFC 1636).
• This report stated that the Internet was a very open
network, which was unprotected from hostile
attacks.
• Therefore, said the report, the Internet needs
better security measures, in terms of
authentication, integrity and confidentiality.
• The outcome of the study and IAB’s report is the
protocol for providing security at the IP level, called
as IP Security (IPSec).
• In 1995, the Internet Engineering Task Force (IETF)
published five security based standards related to
IPSec, as shown in Table 9.2.
IPv4 may support these features,
but IPv6 must support them.
The logical format of a message after IPSec processing is
shown in Fig. 9.26
Applications and advantages
• Secure remote Internet access: Using IPSec, we can make a local call to
our Internet Service Provider (ISP) so as to connect to our organization’s
network in a secure fashion from our home or hotel. From there, we can
access the corporate network facilities or access remote desktops/
servers.
• Secure branch office connectivity: Rather than subscribing to an
expensive leased line for connecting its branches across cities/countries,
an organization can set up an IPSec-enabled network to securely connect
all its branches over the Internet.
• Set up communication with other organizations: Just as IPSec allows
connectivity between various branches of an organization, it can also be
used to connect the networks of different organizations together in a
secure and inexpensive fashion.
Advantages
• IPSec is transparent to the end users. There is no need for an
user training, key issuance or revocation.
• When IPSec is configured to work with a firewall, it becomes
the only entry-exit point for all traffic; making it extra
secure.
• IPSec works at the network layer
• When IPSec is implemented in a firewall or a router, all the
outgoing and incoming traffic gets protected. However, the
internal traffic does not have to use IPSec. Thus, it does not
add any overheads for the internal traffic.
• IPSec can allow traveling staff to have secure access to the
corporate network.
• IPSec allows interconnectivity between branches/offices in a
very inexpensive manner.
IPSec Protocols

IPSec features are implemented in the form of additional IP headers


(called as extension headers) to the standard, default IP headers. IPSec
offers two main services: authentication and confidentiality.
These two protocols are required for the following purposes.
• The Authentication Header (AH) protocol provides authentication,
integrity and an optional anti-replay service. The IPSec AH is a header in an
IP packet, which contains a cryptographic checksum (similar to a message
digest or hash) for the contents of the packet. The AH is simply inserted
between the IP header and any subsequent packet contents. No changes
are required to the data contents of the packet. Thus, security resides
completely in the contents of the AH.
• The Encapsulating Security Payload (ESP) protocol provides data
confidentiality. The ESP protocol also defines a new header to be inserted
into the IP packet. ESP processing also includes the transformation of the
protected data into an unreadable, encrypted format. Under normal
circumstances, the ESP will be inside the AH. That is, encryption happens
first and then authentication.
Packet Format
• Security Parameter Index(SPI): This parameter is used by
Security Association. It is used to give a unique number to
the connection built between the Client and Server.
• Sequence Number: Unique Sequence numbers are allotted
to every packet so that on the receiver side packets can be
arranged properly.
• Payload Data: Payload data means the actual data or the
actual message. The Payload data is in an encrypted format
to achieve confidentiality.
• Padding: Extra bits of space are added to the original
message in order to ensure confidentiality. Padding length is
the size of the added bits of space in the original message.
• Next Header: Next header means the next payload or next
actual data.
• Authentication Data This field is optional in ESP protocol
packet format.
• Encryption algorithm: The encryption algorithm is the
document that describes various encryption algorithms used
for Encapsulation Security Payload.
• AH Protocol: AH (Authentication Header) Protocol provides
both Authentication and Integrity service. Authentication
Header is implemented in one way only: Authentication
along with Integrity.
• Authentication Header covers the packet format and general
issues related to the use of AH for packet authentication and
integrity.
• Authentication Algorithm: The authentication
Algorithm contains the set of documents that
describe the authentication algorithm used for AH
and for the authentication option of ESP.
• DOI (Domain of Interpretation): DOI is the
identifier that supports both AH and ESP protocols.
It contains values needed for documentation
related to each other.
• Key Management: Key Management contains the
document that describes how the keys are
exchanged between sender and receiver.
• Tunnel Mode
• In tunnel mode, the entire original IP packet is
encapsulated to become the payload of a new IP
packet.
• Transport Mode
• The main difference in transport mode is that it
retains the original IP header. In other words,
payload data transmitted within the original IP
packet is protected.

You might also like