IP- Level Security: IPSEC

IP- Level Security: IPSEC

IP Security (IPSec) is a collection of protocols designed by the IETF (Internet Engineering Task Force) to provide security for a packet at the IP level.

IPSec does not define the use of any specific encryption or authentication method. Instead, it provides a framework and a mechanism: it leaves the selection of the encryption, authentication, and hashing methods to the user.

Security Association

IPSec requires a logical connection between two hosts using a signaling protocol, called Security Association (SA).

In other words, IPSec needs the connectionless IP protocol changed to a connection-oriented protocol before security can be applied.

An SA connection is a simplex (unidirectional) connection between a source and destination.

. If a duplex (bidirectional) connection is needed, two SA connections are required, one in each direction. An SA connection is uniquely defined by three elements:

1. A 32-bit security parameter index (SPI), which acts as a virtual circuit identifier in connection-oriented protocols such as Frame Relay or ATM.

2. The type of the protocol used for security. We will see shortly that IPSec defines two alternative protocols: AH and ESP.

3. .The source IP address.

Two Modes

IPSec operates at two different modes: transport mode and tunnel mode. The mode defines where the IPSec header is added to the IP packet.

Transport Mode

In this mode, the IPSec header is added between the IP header and the rest of the packet, as shown in Figure.

Two Security Protocols

IPSec defines two protocols: Authentication Header (AH) protocol and Encapsulating Security Payload (ESP) protocol. We discuss both of these protocols here.

Authentication Header (AH) Protocol

The Authentication Header (AH) protocol is designed to authenticate the source, host and to ensure the integrity of the payload carried by the IP packet.

The protocol calculates a message digest, using a hashing function and a symmetric key, and inserts the digest in the authentication header.

The AH is put in the appropriate location based on the mode (transport or tunnel).

Figure shows the position of the authentication header in the transport mode.

Encapsulating Security Payload

The AH protocol does not provide privacy, only source authentication and data integrity.

IPSec later defined an alternative protocol that provides source authentication, integrity, and privacy called Encapsulating Security Payload (ESP).

ESP adds a . Header and trailer. Note that ESP's authentication data are added at the end of packet which makes its calculation easier.

Figure 31.4 shows the location of the ESP header and trailer.